Category: OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management
Obsolete
Summary
Weaknesses in this category are related to the A3 category in the OWASP Top Ten 2004.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-259 | Use of Hard-coded Password | The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components. |
| CWE-287 | Improper Authentication | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
| CWE-296 | Improper Following of a Certificate's Chain of Trust | The product does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resource that is associated with that certificate. |
| CWE-298 | Improper Validation of Certificate Expiration | A certificate expiration is not validated or is incorrectly validated, so trust may be assigned to certificates that have been abandoned due to age. |
| CWE-302 | Authentication Bypass by Assumed-Immutable Data | The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker. |
| CWE-304 | Missing Critical Step in Authentication | The product implements an authentication technique, but it skips a step that weakens the technique. |
| CWE-307 | Improper Restriction of Excessive Authentication Attempts | The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame. |
| CWE-309 | Use of Password System for Primary Authentication | The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism. |
| CWE-345 | Insufficient Verification of Data Authenticity | The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. |
| CWE-384 | Session Fixation | Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions. |
| CWE-521 | Weak Password Requirements | The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts. |
| CWE-522 | Insufficiently Protected Credentials | The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. |
| CWE-525 | Use of Web Browser Cache Containing Sensitive Information | The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached. |
| CWE-613 | Insufficient Session Expiration | According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization." |
| CWE-620 | Unverified Password Change | When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication. |
| CWE-640 | Weak Password Recovery Mechanism for Forgotten Password | The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak. |
| CWE-798 | Use of Hard-coded Credentials | The product contains hard-coded credentials, such as a password or cryptographic key. |
| CWE-711 | Weaknesses in OWASP Top Ten (2004) | CWE entries in this view (graph) are associated with the OWASP Top Ten, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is considered obsolete as a newer version of the OWASP Top Ten is available. |
| CWE-255 | Credentials Management Errors | Weaknesses in this category are related to the management of credentials. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.