Category: OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures
Incomplete
Summary
Weaknesses in this category are related to the A07 category "Identification and Authentication Failures" in the OWASP Top Ten 2021.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-259 | Use of Hard-coded Password | The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components. |
| CWE-287 | Improper Authentication | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
| CWE-288 | Authentication Bypass Using an Alternate Path or Channel | The product requires authentication, but the product has an alternate path or channel that does not require authentication. |
| CWE-290 | Authentication Bypass by Spoofing | This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks. |
| CWE-294 | Authentication Bypass by Capture-replay | A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes). |
| CWE-295 | Improper Certificate Validation | The product does not validate, or incorrectly validates, a certificate. |
| CWE-297 | Improper Validation of Certificate with Host Mismatch | The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host. |
| CWE-300 | Channel Accessible by Non-Endpoint | The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint. |
| CWE-302 | Authentication Bypass by Assumed-Immutable Data | The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker. |
| CWE-304 | Missing Critical Step in Authentication | The product implements an authentication technique, but it skips a step that weakens the technique. |
| CWE-306 | Missing Authentication for Critical Function | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
| CWE-307 | Improper Restriction of Excessive Authentication Attempts | The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame. |
| CWE-346 | Origin Validation Error | The product does not properly verify that the source of data or communication is valid. |
| CWE-384 | Session Fixation | Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions. |
| CWE-521 | Weak Password Requirements | The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts. |
| CWE-613 | Insufficient Session Expiration | According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization." |
| CWE-620 | Unverified Password Change | When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication. |
| CWE-640 | Weak Password Recovery Mechanism for Forgotten Password | The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak. |
| CWE-798 | Use of Hard-coded Credentials | The product contains hard-coded credentials, such as a password or cryptographic key. |
| CWE-940 | Improper Verification of Source of a Communication Channel | The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is coming from the expected origin. |
| CWE-1344 | Weaknesses in OWASP Top Ten (2021) | CWE entries in this view (graph) are associated with the OWASP Top Ten, as released in 2021. |
| CWE-1216 | Lockout Mechanism Errors | Weaknesses in this category are related to a software system's lockout mechanism. Frequently these deal with scenarios that take effect in case of multiple failed attempts to access a given resource. The weaknesses in this category could lead to a degradation of access to system assets if they are not addressed. |
| CWE-255 | Credentials Management Errors | Weaknesses in this category are related to the management of credentials. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.