PCI Compliance scanned failed due to Web Server Uses Basic Authentication Without HTTPS

Question

We are implementing PCI Compliance on our website when when we scan our website PCI Compliance we get following error

TCP 80

Description: Web Server Uses Basic Authentication Without HTTPS

Synopsis: The remote web server seems to transmit credentials in clear text.

Impact: The remote web server contains web pages that are protected by 'Basic' authentication over plain text.

An attacker eavesdropping the traffic might obtain logins and passwords of valid users.

Data Received: The following web pages use Basic Authentication over an unencrypted channel :

/test:/ realm="www.abc.com"

Resolution: Make sure that HTTP authentication is transmitted over HTTPS.

Risk Factor: Medium/ CVSS2 Base Score: 4.0

Question: i am not sure how to resolve this problem. my website is already running on HTTPS and bacic authentication is already disable in IIS but still getting this problem.

Answer 1

Going to the URL http://www.abc.com/test results in a prompt with HTTP Basic Authentication.

You need to remove that in order for the error to be resolved.