Category: Authentication Errors
Draft
Summary
Weaknesses in this category are related to authentication components of a system. Frequently these deal with the ability to verify that an entity is indeed who it claims to be. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authentication capability.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-289 | Authentication Bypass by Alternate Name | The product performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor. |
| CWE-290 | Authentication Bypass by Spoofing | This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks. |
| CWE-294 | Authentication Bypass by Capture-replay | A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes). |
| CWE-295 | Improper Certificate Validation | The product does not validate, or incorrectly validates, a certificate. |
| CWE-301 | Reflection Attack in an Authentication Protocol | Simple authentication protocols are subject to reflection attacks if a malicious user can use the target machine to impersonate a trusted user. |
| CWE-303 | Incorrect Implementation of Authentication Algorithm | The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect. |
| CWE-305 | Authentication Bypass by Primary Weakness | The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error. |
| CWE-306 | Missing Authentication for Critical Function | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
| CWE-307 | Improper Restriction of Excessive Authentication Attempts | The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame. |
| CWE-308 | Use of Single-factor Authentication | The use of single-factor authentication can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme. |
| CWE-309 | Use of Password System for Primary Authentication | The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism. |
| CWE-322 | Key Exchange without Entity Authentication | The product performs a key exchange with an actor without verifying the identity of that actor. |
| CWE-603 | Use of Client-Side Authentication | A client/server product performs authentication within client code but not in server code, allowing server-side authentication to be bypassed via a modified client that omits the authentication check. |
| CWE-645 | Overly Restrictive Account Lockout Mechanism | The product contains an account lockout protection mechanism, but the mechanism is too restrictive and can be triggered too easily, which allows attackers to deny service to legitimate users by causing their accounts to be locked out. |
| CWE-804 | Guessable CAPTCHA | The product uses a CAPTCHA challenge, but the challenge can be guessed or automatically recognized by a non-human actor. |
| CWE-836 | Use of Password Hash Instead of Password for Authentication | The product records password hashes in a data store, receives a hash of a password from a client, and compares the supplied hash to the hash obtained from the data store. |
| CWE-699 | Software Development | This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.