How do I set up the Basic authorization using Base64 encoded credentials?
I tried the below two commands, but of no use. Please suggest me the correct variant.
curl -i -H 'Accept:application/json' Authorization:Basic <username:password> http://example.com curl -i -H 'Accept:application/json' Authorization:Basic.base64_encode(username:password) http://example.com How do I set up the basic authorization?
All you need to do is use -u, --user USER[:PASSWORD]. Behind the scenes curl builds the Authorization header with base64 encoded credentials for you.
Example:
curl -u username:password -i -H 'Accept:application/json' http://example.com 
Use the -H header again before the Authorization:Basic things. So it will be
curl -i \ -H 'Accept:application/json' \ -H 'Authorization:Basic BASE64_string' \ http://example.com Here, BASE64_string = Base64 of username:password
Authorization: Basic BASE64_stringYou can use the base64 CLI tool to generate the base64 encoded version of your username + password like this:
$ echo -n "joeuser:secretpass" | base64 am9ldXNlcjpzZWNyZXRwYXNz -or- $ base64 <<<"joeuser:secretpass" am9ldXNlcjpzZWNyZXRwYXNzCg== Base64 is reversible so you can also decode it to confirm like this:
$ echo -n "joeuser:secretpass" | base64 | base64 -D joeuser:secretpass -or- $ base64 <<<"joeuser:secretpass" | base64 -D joeuser:secretpass NOTE: username = joeuser, password = secretpass
You can put this together into curl like this:
$ curl -H "Authorization: Basic $(base64 <<<"joeuser:secretpass")" http://example.com Most will likely agree that if you're going to bother doing this, then you might as well just use curl's -u option.
$ curl --help |grep -- "--user " -u, --user USER[:PASSWORD] Server user and password
For example:
$ curl -u someuser:secretpass http://example.com But you can do this in a semi-safer manner if you keep your credentials in a encrypted vault service such as LastPass or Pass.
For example, here I'm using the LastPass' CLI tool, lpass, to retrieve my credentials:
$ curl -u $(lpass show --username example.com):$(lpass show --password example.com) \ http://example.com There's an even safer way to hand your credentials off to curl though. This method makes use of the -K switch.
$ curl -X GET -K \ <(cat <<<"user = \"$(lpass show --username example.com):$(lpass show --password example.com)\"") \ http://example.com When used, your details remain hidden, since they're passed to curl via a temporary file descriptor, for example:
+ curl -skK /dev/fd/63 -XGET -H 'Content-Type: application/json' https://es-data-01a.example.com:9200/_cat/health ++ cat +++ lpass show --username example.com +++ lpass show --password example.com 1561075296 00:01:36 rdu-es-01 green 9 6 2171 1085 0 0 0 0 - 100.0% NOTE: Above I'm communicating with one of our Elasticsearch nodes, inquiring about the cluster's health.
This method is dynamically creating a file with the contents user = "<username>:<password>" and giving that to curl.
The methods shown above are facilitating a feature known as Basic Authorization that's part of the HTTP standard.
When the user agent wants to send authentication credentials to the server, it may use the Authorization field.
The Authorization field is constructed as follows:
- The username and password are combined with a single colon (:). This means that the username itself cannot contain a colon.
- The resulting string is encoded into an octet sequence. The character set to use for this encoding is by default unspecified, as long as it is compatible with US-ASCII, but the server may suggest use of UTF-8 by sending the charset parameter.
- The resulting string is encoded using a variant of Base64.
- The authorization method and a space (e.g. "Basic ") is then prepended to the encoded string.
For example, if the browser uses Aladdin as the username and OpenSesame as the password, then the field's value is the base64-encoding of Aladdin:OpenSesame, or QWxhZGRpbjpPcGVuU2VzYW1l. Then the Authorization header will appear as:
Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l
Source: Basic access authentication
-w0 should be used for base64 command in order to disable line wrapping.
-w0 is really important, as the behavior of curl with the flag --user user:verylongpassword and -H "Authorization: Basic $(echo -n 'user:verylongpassword' | base64 )" is different. In my case the last one did not work and I had to use base64 -w0One way, provide --user flag as part of curl, as follows:
curl --user username:password http://example.com Another way is to get Base64 encoded token of "username:password" from any online website like - https://www.base64encode.org/ and pass it as Authorization header of curl as follows:
curl -i -H 'Authorization:Basic dXNlcm5hbWU6cGFzc3dvcmQ=' http://localhost:8080/ Here, dXNlcm5hbWU6cGFzc3dvcmQ= is Base64 encoded token of username:password.
echo -n "password" | base64.
echo -n "username:password" | base64.It can happen for big Intranets, that you will need the base64(domain/user:password).
I'm currently learning in HTB, to use the curl command for basic authentication, assuming that you need to give user name and password before accessing the webpage, use:
curl -u userName:userPassword 'http://ip_address:port' -H 'Authorization: Basic base64encodetext' curl -D- -X GET -H "Authorization: Basic ZnJlZDpmcmVk" -H "Content-Type: application/json" http://localhost:7990/rest/api/1.0/projects
--note base46 encode =ZnJlZDpmcmVk 
