[Forgot Password]
Login  Register Subscribe

30479

 
 

423868

 
 

248038

 
 

909

 
 

194772

 
 

282

 
Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Use of Client-Side Authentication

ID: 603Date: (C)2012-05-14   (M)2022-10-10
Type: weaknessStatus: DRAFT
Abstraction Type: Base





Description

A client/server product performs authentication within client code but not in server code, allowing server-side authentication to be bypassed via a modified client that omits the authentication check.

Extended Description

Client-side authentication is extremely weak and may be breached easily. Any attacker may read the source code and reverse-engineer the authentication mechanism to access parts of the application which would otherwise be protected.

Applicable Platforms
None

Time Of Introduction

  • Architecture and Design
  • Implementation

Common Consequences

ScopeTechnical ImpactNotes
Access_Control
 		Bypass protection mechanism
Gain privileges / assume identity
 		 

Detection Methods
None

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
Architecture and Design
 		 Do not rely on client side data. Always perform server side authentication.
 		  

Relationships

Related CWETypeViewChain
CWE-603 ChildOf CWE-898 Category CWE-888  

Demonstrative Examples
None

Observed Examples

  1. CVE-2006-0230 : Client-side check for a password allows access to a server using crafted XML requests from a modified client.

For more examples, refer to CVE relations in the bottom box.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

TaxynomyIdNameFit
Anonymous Tool Vendor (under NDA)  
 		 

References:

  1. Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 2, "Untrustworthy Credentials", Page 37.'. Published on 2006.
CVE    1
CVE-2020-7591

© SecPod Technologies