CWE

Use of Password Hash Instead of Password for Authentication

ID: 836		Date: (C)2012-05-14   (M)2022-10-10
Type: weakness		Status: INCOMPLETE
Abstraction Type: Base

Description

The software records password hashes in a data store, receives a hash of a password from a client, and compares the supplied hash to the hash obtained from the data store.

Extended Description

Some authentication mechanisms rely on the client to generate the hash for a password, possibly to reduce load on the server or avoid sending the password across the network. However, when the client is used to generate the hash, an attacker can bypass the authentication by obtaining a copy of the hash, e.g. by using SQL injection to compromise a database of authentication credentials, or by exploiting an information exposure. The attacker could then use a modified client to replay the stolen hash without having knowledge of the original password.

As a result, the server-side comparison against a client-side hash does not provide any more security than the use of passwords without hashing.

Applicable Platforms
Language Class: Language-independent

Common Consequences

Scope	Technical Impact	Notes
Access_Control	Bypass protection mechanism Gain privileges / assume identity	An attacker could bypass the authentication routine without knowing the original password.

Detection Methods
None

Potential Mitigations
None

Relationships

Related CWE	Type	View	Chain
CWE-836 PeerOf CWE-602	Weakness	CWE-1000

Demonstrative Examples
None

Observed Examples

1. CVE-2009-1283 : Product performs authentication with user-supplied password hashes that can be obtained from a separate SQL injection vulnerability (CVE-2009-1282).
2. CVE-2005-3435 : Product allows attackers to bypass authentication by obtaining the password hash for another user and specifying the hash in the pwd argument.

For more examples, refer to CVE relations in the bottom box.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings
None

References:
None