Authentication Bypass by Assumed-Immutable Data
Incomplete Base
Structure: Simple
Description
The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.
Common Consequences 1
Scope: Access Control
Impact: Bypass Protection Mechanism
Potential Mitigations 1
Phase: Architecture and DesignOperationImplementation
Implement proper protection for immutable data (e.g. environment variable, hidden form fields, etc.)
Demonstrative Examples 1
In the following example, an "authenticated" cookie is used to determine whether or not a user should be granted access to a system.
Code Example:
Bad
Java
javaModifying the value of a cookie on the client-side is trivial, but many developers assume that cookies are essentially immutable.
Observed Examples 9
CVE-2002-0367DebPloit
CVE-2004-0261Web auth
CVE-2002-1730Authentication bypass by setting certain cookies to "true".
CVE-2002-1734Authentication bypass by setting certain cookies to "true".
CVE-2002-2064Admin access by setting a cookie.
CVE-2002-2054Gain privileges by setting cookie.
CVE-2004-1611Product trusts authentication information in cookie.
CVE-2005-1708Authentication bypass by setting admin-testing variable to true.
CVE-2005-1787Bypass auth and gain privileges by setting a variable.
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Architecture and Design
Implementation
Related Attack Patterns
- 10DEPRECATED: ASP.NET Environment Issues
- 13ASP.NET Misconfiguration: Password in Configuration File
- 21DEPRECATED: Pathname Traversal and Equivalence Errors
- 31Path Traversal: 'dir\..\..\filename'
- 39Path Traversal: 'C:dirname'
- 45Path Equivalence: 'file...name' (Multiple Internal Dot)
- 77Improper Neutralization of Special Elements used in a Command ('Command Injection')
- 274Improper Handling of Insufficient Privileges
Related Weaknesses
Taxonomy Mapping
- PLOVER
- OWASP Top Ten 2004
- The CERT Oracle Secure Coding Standard for Java (2011)