[Feature Request]: Support basic authentication and basic auth injection

[axel3rd]

When basic-authentication is used for legacy applications, providing a valid login/password to request the "application home" and not only the "application login" page gives more chances to check if application is vulnerable.

Providing --basic-auth-user & --basic-auth-password parameters as preemptive basic authentication could be useful.

In addition, for this kind of application, even if any headers are logged with log4j, the user can sometime be logged after basic-auth decoded64 content (real use case found).

So having a --basic-auth-injection parameter with inject default payload as basic-auth user can be useful (not cumulative with --basic-auth-user, logically incompatible):

    if args.basic_inject:
        fuzzing_headers["Authorization"] = 'Basic %s' % base64.b64encode((payload + ':fakepassword').encode('utf-8')).decode()

If considered as relevant, I can provide a PR.

[mazen160]

Hi @axel3rd,

This is totally valid and relevant use-case. I thought about adding it automatically when Authorization header is in Headers list.

I saw one tweet that had a similar pattern:

[axel3rd]

I thought about adding it automatically when Authorization header is in Headers list.

There are many Authorization type (Basic, Bearer, ...) as we can see on your screenshot.
In theory we can have multiple Authorization type on same request (so thread) ... but I have never saw that in "real life".

Perhaps --authorization-injection=basic is a better name/value for this parameter.
In the future some other cumulative value --authorization-injection=basic,bearer,oauth can exist, even if I have not the concrete implementation now ^^.

But this kind of approach breaks the "adding it automatically when Authorization header is in Headers list", because it doesn't say which type of authorization we need to inject.

[axel3rd]

Reopen for merge in original repo.

Testable from https://github.com/axel3rd/log4j-scan