Client-Side Enforcement of Server-Side Security| ID: 602 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: DRAFT |
| Abstraction Type: Base |
Description
The software is composed of a server that relies on the client
to implement a mechanism that is intended to protect the
server.
Extended DescriptionWhen the server relies on protection mechanisms placed on the client side,
an attacker can modify the client-side behavior to bypass the protection
mechanisms resulting in potentially unexpected interactions between the
client and server. The consequences will vary, depending on what the
mechanisms are trying to protect.
Enabling Factors for ExploitationConsider a product that consists of two or more processes or nodes that
must interact closely, such as a client/server model. If the product uses
protection schemes in the client in order to defend from attacks against the
server, and the server does not use the same schemes, then an attacker could
modify the client in a way that bypasses those schemes. This is a
fundamental design flaw that is primary to many weaknesses.
Likelihood of Exploit: Medium
Applicable PlatformsLanguage Class: AllArchitectural Paradigm: Client-ServerArchitectural Paradigm: Sometimes
Time Of Introduction
Related Attack Patterns
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| Access_ControlAvailability | Bypass protection
mechanismDoS: crash / exit /
restart | Client-side validation checks can be easily bypassed, allowing
malformed or unexpected input to pass into the application, potentially
as trusted data. This may lead to unexpected states, behaviors and
possibly a resulting crash. |
| Access_Control | Bypass protection
mechanismGain privileges / assume
identity | Client-side checks for authentication can be easily bypassed, allowing
clients to escalate their access levels and perform unintended
actions. |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| Architecture and Design | | For any security checks that are performed on the client side, ensure
that these checks are duplicated on the server side. Attackers can
bypass the client-side checks by modifying values after the checks have
been performed, or by changing the client to remove the client-side
checks entirely. Then, these modified values would be submitted to the
server.Even though client-side checks provide minimal benefits with respect
to server-side security, they are still useful. First, they can support
intrusion detection. If the server receives input that should have been
rejected by the client, then it may be an indication of an attack.
Second, client-side error-checking can provide helpful feedback to the
user about the expectations for valid input. Third, there may be a
reduction in server-side processing time for accidental input errors,
although this is typically a small savings. | | |
| Architecture and Design | | If some degree of trust is required between the two entities, then use
integrity checking and strong authentication to ensure that the inputs
are coming from a trusted source. Design the product so that this trust
is managed in a centralized fashion, especially if there are complex or
numerous communication channels, in order to reduce the risks that the
implementer will mistakenly omit a check in a single code path. | | |
| Testing | | Use dynamic tools and techniques that interact with the software using
large test suites with many diverse inputs, such as fuzz testing
(fuzzing), robustness testing, and fault injection. The software's
operation may slow down, but it should not become unstable, crash, or
generate incorrect results. | | |
| Testing | | Use tools and techniques that require manual (human) analysis, such as
penetration testing, threat modeling, and interactive tools that allow
the tester to record and modify an active session. These may be more
effective than strictly automated techniques. This is especially the
case with weaknesses that are related to design and business
rules. | | |
Relationships
| Related CWE | Type | View | Chain |
|---|
| CWE-602 ChildOf CWE-907 | Category | CWE-888 | |
Demonstrative Examples (Details)
- This example contains client-side code that checks if the user
authenticated successfully before sending a command. The server-side code
performs the authentication in one step, and executes the command in a
separate step.
Observed Examples
- CVE-2006-6994 : ASP program allows upload of .asp files by bypassing client-side checks.
- CVE-2007-0163 : steganography products embed password information in the carrier file, which can be extracted from a modified client.
- CVE-2007-0164 : steganography products embed password information in the carrier file, which can be extracted from a modified client.
- CVE-2007-0100 : client allows server to modify client's configuration and overwrite arbitrary files.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
| Taxynomy | Id | Name | Fit |
|---|
| OWASP Top Ten 2004 | A1 | Unvalidated Input | CWE_More_Specific |
References:
- M. Howard D. LeBlanc .Writing Secure Code 2nd Edition. Microsoft. Section:'Chapter 23, "Client-Side Security Is an Oxymoron" Page
687'. Published on 2002.
