Read Time:46 Second

Description

The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-287
CWE-807

 

Consequences

Access Control: Bypass Protection Mechanism

 

Potential Mitigations

Phase: Architecture and Design, Operation, Implementation

Description: 

Implement proper protection for immutable data (e.g. environment variable, hidden form fields, etc.)

CVE References

  • CVE-2002-1730
    • Authentication bypass by setting certain cookies to “true”.
  • CVE-2002-1734
    • Authentication bypass by setting certain cookies to “true”.
  • CVE-2004-1611
    • Product trusts authentication information in cookie.
  • CVE-2005-1708
    • Authentication bypass by setting admin-testing variable to true.
  • CVE-2005-1787
    • Bypass auth and gain privileges by setting a variable.