All posts by rocco

CWE

CWE-287 – Improper Authentication

Read Time:1 Minute, 38 Second

Description

When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: High

 

Related Weaknesses

CWE-284
CWE-284

 

Consequences

Integrity, Confidentiality, Availability, Access Control: Read Application Data, Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands

This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code.

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Use an authentication framework or library such as the OWASP ESAPI Authentication feature.

CVE References

  • CVE-2009-3421
    • login script for guestbook allows bypassing authentication by setting a “login_ok” parameter to 1.
  • CVE-2009-2382
    • admin script allows authentication bypass by setting a cookie value to “LOGGEDIN”.
  • CVE-2009-1048
    • VOIP product allows authentication bypass using 127.0.0.1 in the Host header.
  • CVE-2009-2213
    • product uses default “Allow” action, instead of default deny, leading to authentication bypass.
  • CVE-2009-2168
    • chain: redirect without exit (CWE-698) leads to resultant authentication bypass.
  • CVE-2009-3107
    • product does not restrict access to a listening port for a critical service, allowing authentication to be bypassed.
  • CVE-2009-1596
    • product does not properly implement a security-related configuration setting, allowing authentication bypass.
  • CVE-2009-2422
    • authentication routine returns “nil” instead of “false” in some situations, allowing authentication bypass using an invalid username.
  • CVE-2009-3232
    • authentication update script does not properly handle when admin does not select any authentication modules, allowing authentication bypass.
  • CVE-2009-3231
    • use of LDAP authentication with anonymous binds causes empty password to result in successful authentication
  • CVE-2005-3435
    • product authentication succeeds if user-provided MD5 hash matches the hash in its database; this can be subjected to replay attacks.
  • CVE-2005-0408
    • chain: product generates predictable MD5 hashes using a constant value combined with username, allowing authentication bypass.
CWE

CWE-288 – Authentication Bypass Using an Alternate Path or Channel

Read Time:1 Minute, 9 Second

Description

A product requires authentication, but the product has an alternate path or channel that does not require authentication.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-287
CWE-284
CWE-420
CWE-425

 

Consequences

Access Control: Bypass Protection Mechanism

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Funnel all access through a single choke point to simplify how users can access a resource. For every access, perform a check to determine if the user has permissions to access the resource.

CVE References

  • CVE-2000-1179
    • Router allows remote attackers to read system logs without authentication by directly connecting to the login screen and typing certain control characters.
  • CVE-1999-1454
    • Attackers with physical access to the machine may bypass the password prompt by pressing the ESC (Escape) key.
  • CVE-1999-1077
    • OS allows local attackers to bypass the password protection of idled sessions via the programmer’s switch or CMD-PWR keyboard sequence, which brings up a debugger that the attacker can use to disable the lock.
  • CVE-2003-0304
    • Direct request of installation file allows attacker to create administrator accounts.
  • CVE-2002-0870
    • Attackers may gain additional privileges by directly requesting the web management URL.
  • CVE-2002-0066
    • Bypass authentication via direct request to named pipe.
  • CVE-2003-1035
    • User can avoid lockouts by using an API instead of the GUI to conduct brute force password guessing.
CWE

CWE-289 – Authentication Bypass by Alternate Name

Read Time:51 Second

Description

The software performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-287

 

Consequences

Access Control: Bypass Protection Mechanism

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.

Phase: Implementation

Description: 

Phase: Implementation

Description: 

Inputs should be decoded and canonicalized to the application’s current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CVE References

  • CVE-2003-0317
    • Protection mechanism that restricts URL access can be bypassed using URL encoding.
  • CVE-2004-0847
    • Bypass of authentication for files using “” (backslash) or “%5C” (encoded backslash).
CWE

CWE-29 – Path Traversal: ‘..filename’

Read Time:50 Second

Description

The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize ‘..filename’ (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-23

 

Consequences

Confidentiality, Integrity: Read Files or Directories, Modify Files or Directories

 

Potential Mitigations

Phase: Implementation

Description: 

Phase: Implementation

Description: 

Inputs should be decoded and canonicalized to the application’s current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CVE References

  • CVE-2002-1987
    • Protection mechanism checks for “/..” but doesn’t account for Windows-specific “..” allowing read of arbitrary files.
  • CVE-2005-2142
    • Directory traversal vulnerability in FTP server allows remote authenticated attackers to list arbitrary directories via a “..” sequence in an LS command.
CWE

CWE-290 – Authentication Bypass by Spoofing

Read Time:25 Second

Description

This attack-focused weakness is caused by improperly implemented authentication schemes that are subject to spoofing attacks.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-287
CWE-287

 

Consequences

Access Control: Bypass Protection Mechanism, Gain Privileges or Assume Identity

This weakness can allow an attacker to access resources which are not otherwise accessible without proper authentication.

 

Potential Mitigations

CVE References

  • CVE-2009-1048
    • VOIP product allows authentication bypass using 127.0.0.1 in the Host header.
CWE

CWE-291 – Reliance on IP Address for Authentication

Read Time:59 Second

Description

The software uses an IP address for authentication.

IP addresses can be easily spoofed. Attackers can forge the source IP address of the packets they send, but response packets will return to the forged IP address. To see the response packets, the attacker has to sniff the traffic between the victim machine and the forged IP address. In order to accomplish the required sniffing, attackers typically attempt to locate themselves on the same subnet as the victim machine. Attackers may be able to circumvent this requirement by using source routing, but source routing is disabled across much of the Internet today. In summary, IP address verification can be a useful part of an authentication scheme, but it should not be the single factor required for authentication.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: High

 

Related Weaknesses

CWE-290
CWE-923
CWE-471

 

Consequences

Access Control, Non-Repudiation: Hide Activities, Gain Privileges or Assume Identity

Malicious users can fake authentication information, impersonating any IP address.

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Use other means of identity verification that cannot be simply spoofed. Possibilities include a username/password or certificate.

CVE References

CWE

CWE-293 – Using Referer Field for Authentication

Read Time:44 Second

Description

The referer field in HTTP requests can be easily modified and, as such, is not a valid means of message integrity checking.

The referer field in HTML requests can be simply modified by malicious users, rendering it useless as a means of checking the validity of the request in question.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: High

 

Related Weaknesses

CWE-290

 

Consequences

Access Control: Gain Privileges or Assume Identity

Actions, which may not be authorized otherwise, can be carried out as if they were validated by the server referred to.

 

Potential Mitigations

Phase: Architecture and Design

Description: 

In order to usefully check if a given action is authorized, some means of strong authentication and method protection must be used. Use other means of authorization that cannot be simply spoofed. Possibilities include a username/password or certificate.

CVE References

CWE

CWE-294 – Authentication Bypass by Capture-replay

Read Time:1 Minute, 18 Second

Description

A capture-replay flaw exists when the design of the software makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).

Capture-replay attacks are common and can be difficult to defeat without cryptography. They are a subset of network injection attacks that rely on observing previously-sent valid commands, then changing them slightly if necessary and resending the same commands to the server.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: High

 

Related Weaknesses

CWE-287
CWE-287

 

Consequences

Access Control: Gain Privileges or Assume Identity

Messages sent with a capture-relay attack allow access to resources which are not otherwise accessible without proper authentication.

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Utilize some sequence or time stamping functionality along with a checksum which takes this into account in order to ensure that messages can be parsed only once.

Phase: Architecture and Design

Description: 

Since any attacker who can listen to traffic can see sequence numbers, it is necessary to sign messages with some kind of cryptography to ensure that sequence numbers are not simply doctored along with content.

CVE References

  • CVE-2005-3435
    • product authentication succeeds if user-provided MD5 hash matches the hash in its database; this can be subjected to replay attacks.
  • CVE-2007-4961
    • Chain: cleartext transmission of the MD5 hash of password (CWE-319) enables attacks against a server that is susceptible to replay (CWE-294).
CWE

CWE-295 – Improper Certificate Validation

Read Time:2 Minute, 53 Second

Description

The software does not validate, or incorrectly validates, a certificate.

When a certificate is invalid or malicious, it might allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client. The software might connect to a malicious host while believing it is a trusted host, or the software might be deceived into accepting spoofed data that appears to originate from a trusted host.

A certificate is a token that associates an identity (principal) to a cryptographic key. Certificates can be used to check if a public key belongs to the assumed owner.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-287
CWE-287
CWE-322

 

Consequences

Integrity, Authentication: Bypass Protection Mechanism, Gain Privileges or Assume Identity

 

Potential Mitigations

Phase: Architecture and Design, Implementation

Description: 

Certificates should be carefully managed and checked to assure that data are encrypted with the intended owner’s public key.

Phase: Implementation

Description: 

If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname.

CVE References

  • CVE-2014-1266
    • chain: incorrect “goto” in Apple SSL product bypasses certificate validation, allowing Adversary-in-the-Middle (AITM) attack (Apple “goto fail” bug). CWE-705 (Incorrect Control Flow Scoping) -> CWE-561 (Dead Code) -> CWE-295 (Improper Certificate Validation) -> CWE-393 (Return of Wrong Status Code) -> CWE-300 (Channel Accessible by Non-Endpoint).
  • CVE-2021-22909
    • Chain: router’s firmware update procedure uses curl with “-k” (insecure) option that disables certificate validation (CWE-295), allowing adversary-in-the-middle (AITM) compromise with a malicious firmware image (CWE-494).
  • CVE-2008-4989
    • Verification function trusts certificate chains in which the last certificate is self-signed.
  • CVE-2012-5821
    • Web browser uses a TLS-related function incorrectly, preventing it from verifying that a server’s certificate is signed by a trusted certification authority (CA)
  • CVE-2009-3046
    • Web browser does not check if any intermediate certificates are revoked.
  • CVE-2011-0199
    • Operating system does not check Certificate Revocation List (CRL) in some cases, allowing spoofing using a revoked certificate.
  • CVE-2012-5810
    • Mobile banking application does not verify hostname, leading to financial loss.
  • CVE-2012-3446
    • Cloud-support library written in Python uses incorrect regular expression when matching hostname.