ByteOS Network

CWE-302:Authentication Bypass by Assumed-Immutable Data

Weakness ID:302

Version:v4.17

Weakness Name:Authentication Bypass by Assumed-Immutable Data

Vulnerability Mapping:Allowed

Abstraction:Base

Structure:Simple

Status:Incomplete

Details Content History Observed CVE Examples Reports

▼Description

The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.

▼Relationships

Relevant to the view"Research Concepts - (1000)"

Nature	Mapping	Type	ID	Name
ChildOf	Allowed-with-Review	C	1390	Weak Authentication
ChildOf	Allowed	B	807	Reliance on Untrusted Inputs in a Security Decision

Nature: ChildOf

Mapping: Allowed-with-Review

Type: Class

ID: 1390

Name: Weak Authentication

Nature: ChildOf

Mapping: Allowed

Type: Base

ID: 807

Name: Reliance on Untrusted Inputs in a Security Decision

▼Memberships

Nature	Mapping	Type	ID	Name
MemberOf	Prohibited	C	724	OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management
MemberOf	Prohibited	C	859	The CERT Oracle Secure Coding Standard for Java (2011) Chapter 16 - Platform Security (SEC)
MemberOf	Prohibited	C	949	SFP Secondary Cluster: Faulty Endpoint Authentication
MemberOf	Prohibited	C	1010	Authenticate Actors
MemberOf	Prohibited	C	1353	OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures
MemberOf	Prohibited	C	1396	Comprehensive Categorization: Access Control

Nature: MemberOf

Mapping: Prohibited

Type:Category

ID: 724

Name: OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management

Nature: MemberOf

Mapping: Prohibited

Type:Category

ID: 859

Name: The CERT Oracle Secure Coding Standard for Java (2011) Chapter 16 - Platform Security (SEC)

Nature: MemberOf

Mapping: Prohibited

Type:Category

ID: 949

Name: SFP Secondary Cluster: Faulty Endpoint Authentication

Nature: MemberOf

Mapping: Prohibited

Type:Category

ID: 1010

Name: Authenticate Actors

Nature: MemberOf

Mapping: Prohibited

Type:Category

ID: 1353

Name: OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures

Nature: MemberOf

Mapping: Prohibited

Type:Category

ID: 1396

Name: Comprehensive Categorization: Access Control

▼Tags

Nature	Mapping	Type	ID	Name
MemberOf	Prohibited	BS	BOSS-294	Not Language-Specific Weaknesses
MemberOf	Prohibited	BS	BOSS-316	Bypass Protection Mechanism (impact)

Nature: MemberOf

Mapping: Prohibited

Type:BOSSView

ID: BOSS-294

Name: Not Language-Specific Weaknesses

Nature: MemberOf

Mapping: Prohibited

Type:BOSSView

ID: BOSS-316

Name: Bypass Protection Mechanism (impact)

▼Relevant To View

Relevant to the view"Architectural Concepts - (1008)"

Nature	Mapping	Type	ID	Name
MemberOf	Prohibited	C	1010	Authenticate Actors

Nature: MemberOf

Mapping: Prohibited

Type: Category

ID: 1010

Name: Authenticate Actors

Relevant to the view"OWASP Top Ten (2021) - (1344)"

Nature	Mapping	Type	ID	Name
MemberOf	Prohibited	C	1353	OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures

Nature: MemberOf

Mapping: Prohibited

Type: Category

ID: 1353

Name: OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures

Relevant to the view"Software Fault Pattern (SFP) Clusters - (888)"

Nature	Mapping	Type	ID	Name
MemberOf	Prohibited	C	949	SFP Secondary Cluster: Faulty Endpoint Authentication

Nature: MemberOf

Mapping: Prohibited

Type: Category

ID: 949

Name: SFP Secondary Cluster: Faulty Endpoint Authentication

▼Common Consequences

Scope	Likelihood	Impact	Note
Access Control	N/A	Bypass Protection Mechanism	N/A

Scope: Access Control

Likelihood: N/A

Impact: Bypass Protection Mechanism

Note:

N/A

▼Potential Mitigations

Phase:Architecture and Design, Operation, Implementation

Description:

Implement proper protection for immutable data (e.g. environment variable, hidden form fields, etc.)

▼Modes Of Introduction

Phase: Architecture and Design

Note:

COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic.

Phase: Implementation

Note:

N/A

▼Applicable Platforms

Languages

Class: Not Language-Specific(Undetermined Prevalence)

▼Demonstrative Examples

Example 1

In the following example, an "authenticated" cookie is used to determine whether or not a user should be granted access to a system.

Language: Java(Bad code)

boolean authenticated = new Boolean(getCookieValue("authenticated")).booleanValue(); if (authenticated) { ... }

Modifying the value of a cookie on the client-side is trivial, but many developers assume that cookies are essentially immutable.

▼Observed Examples

Reference	Description
CVE-2002-0367	DebPloit
CVE-2004-0261	Web auth
CVE-2002-1730	Authentication bypass by setting certain cookies to "true".
CVE-2002-1734	Authentication bypass by setting certain cookies to "true".
CVE-2002-2064	Admin access by setting a cookie.
CVE-2002-2054	Gain privileges by setting cookie.
CVE-2004-1611	Product trusts authentication information in cookie.
CVE-2005-1708	Authentication bypass by setting admin-testing variable to true.
CVE-2005-1787	Bypass auth and gain privileges by setting a variable.

Reference: CVE-2002-0367

Description:

DebPloit

Reference: CVE-2004-0261

Description:

Web auth

Reference: CVE-2002-1730

Description:

Authentication bypass by setting certain cookies to "true".

Reference: CVE-2002-1734

Description:

Authentication bypass by setting certain cookies to "true".

Reference: CVE-2002-2064

Description:

Admin access by setting a cookie.

Reference: CVE-2002-2054

Description:

Gain privileges by setting cookie.

Reference: CVE-2004-1611

Description:

Product trusts authentication information in cookie.

Reference: CVE-2005-1708

Description:

Authentication bypass by setting admin-testing variable to true.

Reference: CVE-2005-1787

Description:

Bypass auth and gain privileges by setting a variable.

▼Vulnerability Mapping Notes

Usage:Allowed

Reason:Acceptable-Use

Rationale:

This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.

Comments:

Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

▼Taxonomy Mappings

Taxonomy Name	Entry ID	Fit	Entry Name
PLOVER	N/A	N/A	Authentication Bypass via Assumed-Immutable Data
OWASP Top Ten 2004	A1	CWE More Specific	Unvalidated Input
The CERT Oracle Secure Coding Standard for Java (2011)	SEC02-J	N/A	Do not base security checks on untrusted sources

Taxonomy Name: PLOVER

Entry ID: N/A

Fit: N/A

Entry Name: Authentication Bypass via Assumed-Immutable Data

Taxonomy Name: OWASP Top Ten 2004

Entry ID: A1

Fit: CWE More Specific

Entry Name: Unvalidated Input

Taxonomy Name: The CERT Oracle Secure Coding Standard for Java (2011)

Entry ID: SEC02-J

Fit: N/A

Entry Name: Do not base security checks on untrusted sources

▼Related Attack Patterns

ID	Name
CAPEC-10	Buffer Overflow via Environment Variables
CAPEC-13	Subverting Environment Variable Values
CAPEC-21	Exploitation of Trusted Identifiers
CAPEC-274	HTTP Verb Tampering
CAPEC-31	Accessing/Intercepting/Modifying HTTP Cookies
CAPEC-39	Manipulating Opaque Client-based Data Tokens
CAPEC-45	Buffer Overflow via Symbolic Links
CAPEC-77	Manipulating User-Controlled Variables

ID: CAPEC-10

Name: Buffer Overflow via Environment Variables

ID: CAPEC-13

Name: Subverting Environment Variable Values

ID: CAPEC-21

Name: Exploitation of Trusted Identifiers

ID: CAPEC-274

Name: HTTP Verb Tampering

ID: CAPEC-31

Name: Accessing/Intercepting/Modifying HTTP Cookies

ID: CAPEC-39

Name: Manipulating Opaque Client-based Data Tokens

ID: CAPEC-45

Name: Buffer Overflow via Symbolic Links

ID: CAPEC-77

Name: Manipulating User-Controlled Variables