/alerttags/cwe-287/ Recent content in CWE-287 on ZAP Hugo en-us /docs/alerts/10101/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/alerts/10101/ <p>Insufficient Authentication occurs when a web site permits an attacker to access sensitive content or functionality without having to properly authenticate. Web-based administration tools are a good example of web sites providing access to sensitive functionality. Depending on the specific online resource, these web applications should not be directly accessible without requiring the user to properly verify their identity.</p> /docs/alerts/10105-1/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/alerts/10105-1/ <p>An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted. The attacker eavesdrops on the network until an authentication has completed.</p>