CWE-302: Authentication Bypass by Assumed-Immutable Data

Description

The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.

Extended Description

N/A

ThreatScore

Threat Mapped score: 0.0

Industry: Finiancial

Threat priority: Unclassified

Observed Examples (CVEs)

CVE: CVE-2002-0367 — KEV

DebPloit
CVE: CVE-2004-0261

Web auth
CVE: CVE-2002-1730

Authentication bypass by setting certain cookies to "true".
CVE: CVE-2002-1734

Authentication bypass by setting certain cookies to "true".
CVE: CVE-2002-2064

Admin access by setting a cookie.
CVE: CVE-2002-2054

Gain privileges by setting cookie.
CVE: CVE-2004-1611

Product trusts authentication information in cookie.
CVE: CVE-2005-1708

Authentication bypass by setting admin-testing variable to true.
CVE: CVE-2005-1787

Bypass auth and gain privileges by setting a variable.

Related Attack Patterns (CAPEC)

Attack TTPs

T1574.007 — Path Interception by PATH Environment Variable (persistence, privilege-escalation, defense-evasion)
T1539 — Steal Web Session Cookie (credential-access)
T1574.006 — Dynamic Linker Hijacking (persistence, privilege-escalation, defense-evasion)
T1528 — Steal Application Access Token (credential-access)
T1562.003 — Impair Command History Logging (defense-evasion)
T1134 — Access Token Manipulation (defense-evasion, privilege-escalation)

Malware

APTs (Intrusion Sets)

Modes of Introduction

Phase	Note
Architecture and Design	COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic.
Implementation	N/A

Common Consequences

Impact: Bypass Protection Mechanism — Notes:

Potential Mitigations

Architecture and Design: Implement proper protection for immutable data (e.g. environment variable, hidden form fields, etc.) (N/A)

Applicable Platforms

None (Not Language-Specific, Undetermined)

Demonstrative Examples

Intro: In the following example, an "authenticated" cookie is used to determine whether or not a user should be granted access to a system.

Body: Modifying the value of a cookie on the client-side is trivial, but many developers assume that cookies are essentially immutable.

boolean authenticated = new Boolean(getCookieValue("authenticated")).booleanValue(); if (authenticated) { ... }

Notes

No notes available.

← Back to CWE list