This article will discuss various methods of specifying usernames and passwords in a cURL request.
cURL specify username and password
cURL is a versatile tool and hence provides multiple ways of passing a username and password, each with its own drawbacks.
The most basic form of authentication supplied by cURL is the -u or –user parameter.
The parameter allows you to specify a username and password separated by a colon. The command syntax is as shown:
For example:
The command above uses the -u to pass the username ‘bob’ and password ‘passwd’ to the address https://example.com
The credentials will be encoded in base64 format and passed in the Authorization: Basic <basse64>header by cURL.
The image below shows the request above intercepted with Burpsuite.
cURL Username and Password in the URL.
cURL allows you to pass a username and password in the URL. The syntax is as shown:
For example:
The above method allows you to remove the -u parameter.
Drawbacks
There are several drawbacks to using the two methods discussed above. These include:
- The credentials are visible in your command history.
- When working with unencrypted protocols, the credentials can be intercepted easily.
- Process listing tools can quickly uncover the credentials.
You could overcome the second drawback by refraining from unencrypted protocols, but you need to look for alternatives for the other two.
To prevent the credentials from appearing in your bash history, you can make cURL prompt you for the password in the terminal session.
Force cURL to Prompt for Password
To make cURL prompt you for a password, use the -u flag and pass the username as shown in the syntax below:
Specify the -u followed by the username. Consider the syntax below:
For example:
The command will force cURL to ask you for the password.
cURL Credentials with .netrc file
If you want to prevent the credentials from appearing in your command history or process listing tools, use the .netrc or a config file.
What is a .netrc file?
The .netrc file is a text file that contains login information used by auto-login processes. cURL supports this method to pass authentication credentials.
The .netrc file is located in the user’s home directory. In Windows, the file is under the name _netrc.
.netrc file format.
The .netrc file follows a simple format. First, you specify the machine, name followed by the credentials associated with that machine.
The file uses the following tokens to specify various parts of the authorization information.
- machine name – allows you to specify the name of the remote machine. cURL will use the machine name that matches the remote machine specified in the URL.
- default – this is similar to the machine name, except it identifies any machine. The .netrc file can only have one default token as it represents all the machines.
- login name – specifies the username string for that machine. Spaces are not supported in usernames.
- password string – specifies the password for the specified username.
The above are the only tokens you need to know when working with cURL.
You can learn more here:
https://www.gnu.org/software/inetutils/manual/html_node/The-_002enetrc-file.html
Example
To create a .netrc entry for the username ‘bob’ and password ‘passwd’. We can add:
Add the entry as:
In the above entry, we tell cURL that the target machine is example.com. Then, use the username ‘bob’ and the password ‘passwd’ to authenticate.
We can then run the command:
Here, cURL will locate the specified .netrc file and match the token that matches the URL https://example.com. It will then use the specified credentials to log in.
Conclusion
This article explored the fundamentals of performing username and password authentication with cURL. We also covered using a .netrc file to carry out secure authentication with cURL.
