Authentication Bypass by Assumed-Immutable DataID: 302 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: INCOMPLETE |
Abstraction Type: Variant |
Description
The authentication scheme or implementation uses key data
elements that are assumed to be immutable, but can be controlled or modified by
the attacker.
Applicable PlatformsLanguage Class: All
Time Of Introduction
- Architecture and Design
- Implementation
Related Attack Patterns
Common Consequences
Scope | Technical Impact | Notes |
---|
Access_Control | Bypass protection
mechanism | |
Detection MethodsNone
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
Architecture and DesignOperationImplementation | | Implement proper protection for immutable data (e.g. environment
variable, hidden form fields, etc.) | | |
Relationships
Related CWE | Type | View | Chain |
---|
CWE-302 ChildOf CWE-898 | Category | CWE-888 | |
Demonstrative Examples (Details)
- In the following example, an "authenticated" cookie is used to
determine whether or not a user should be granted access to a system. Of
course, modifying the value of a cookie on the client-side is trivial, but
many developers assume that cookies are essentially immutable.
Observed Examples
- CVE-2002-0367 : DebPloit
- CVE-2004-0261 : Web auth
- CVE-2002-1730 : Authentication bypass by setting certain cookies to "true".
- CVE-2002-1734 : Authentication bypass by setting certain cookies to "true".
- CVE-2002-2064 : Admin access by setting a cookie.
- CVE-2002-2054 : Gain privileges by setting cookie.
- CVE-2004-1611 : Product trusts authentication information in cookie.
- CVE-2005-1708 : Authentication bypass by setting admin-testing variable to true.
- CVE-2005-1787 : Bypass auth and gain privileges by setting a variable.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
Taxynomy | Id | Name | Fit |
---|
PLOVER | | Authentication Bypass via Assumed-Immutable
Data | |
OWASP Top Ten 2004 | A1 | Unvalidated Input | CWE_More_Specific |
CERT Java Secure Coding | SEC02-J | Do not base security checks on untrusted
sources | |
References:None