Use of Client-Side AuthenticationID: 603 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: DRAFT |
Abstraction Type: Base |
Description
A client/server product performs authentication within client
code but not in server code, allowing server-side authentication to be bypassed
via a modified client that omits the authentication check.
Extended DescriptionClient-side authentication is extremely weak and may be breached easily.
Any attacker may read the source code and reverse-engineer the
authentication mechanism to access parts of the application which would
otherwise be protected.
Applicable PlatformsNone
Time Of Introduction
- Architecture and Design
- Implementation
Common Consequences
Scope | Technical Impact | Notes |
---|
Access_Control | Bypass protection
mechanismGain privileges / assume
identity | |
Detection MethodsNone
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
Architecture and Design | | Do not rely on client side data. Always perform server side
authentication. | | |
Relationships
Related CWE | Type | View | Chain |
---|
CWE-603 ChildOf CWE-898 | Category | CWE-888 | |
Demonstrative ExamplesNone
Observed Examples
- CVE-2006-0230 : Client-side check for a password allows access to a server using crafted XML requests from a modified client.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
Taxynomy | Id | Name | Fit |
---|
Anonymous Tool Vendor (under NDA) | | | |
References:
- Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 2, "Untrustworthy Credentials", Page
37.'. Published on 2006.