Use of Password Hash Instead of Password for Authentication
|ID: 836||Date: (C)2012-05-14 (M)2012-11-08|
|Type: weakness||Status: INCOMPLETE|
|Abstraction Type: Base|
The software records password hashes in a data store, receives
a hash of a password from a client, and compares the supplied hash to the hash
obtained from the data store.
Extended DescriptionSome authentication mechanisms rely on the client to generate the hash for
a password, possibly to reduce load on the server or avoid sending the
password across the network. However, when the client is used to generate
the hash, an attacker can bypass the authentication by obtaining a copy of
the hash, e.g. by using SQL injection to compromise a database of
authentication credentials, or by exploiting an information exposure. The
attacker could then use a modified client to replay the stolen hash without
having knowledge of the original password.As a result, the server-side comparison against a client-side hash does
not provide any more security than the use of passwords without hashing.
Applicable PlatformsLanguage Class: Language-independent
|Access_Control ||Bypass protection
mechanismGain privileges / assume
identity ||An attacker could bypass the authentication routine without knowing
the original password. |
|CWE-836 PeerOf CWE-602 ||Weakness ||CWE-1000 || |
- CVE-2009-1283 : Product performs authentication with user-supplied password hashes that can be obtained from a separate SQL injection vulnerability (CVE-2009-1282).
- CVE-2005-3435 : Product allows attackers to bypass authentication by obtaining the password hash for another user and specifying the hash in the pwd argument.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None