CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (3.0)  
ID

CWE CATEGORY: Authenticate Actors

Category ID: 1010
Status: Draft
+ Summary
Weaknesses in this category are related to the design and architecture of authentication components of the system. Frequently these deal with verifying the entity is indeed who it claims to be. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.
+ Membership
NatureTypeIDName
MemberOfViewView1008Architectural Concepts
HasMemberVariantVariant258Empty Password in Configuration File
HasMemberBaseBase259Use of Hard-coded Password
HasMemberVariantVariant262Not Using Password Aging
HasMemberBaseBase263Password Aging with Long Expiration
HasMemberClassClass287Improper Authentication
HasMemberBaseBase288Authentication Bypass Using an Alternate Path or Channel
HasMemberVariantVariant289Authentication Bypass by Alternate Name
HasMemberBaseBase290Authentication Bypass by Spoofing
HasMemberVariantVariant291Reliance on IP Address for Authentication
HasMemberVariantVariant293Using Referer Field for Authentication
HasMemberBaseBase294Authentication Bypass by Capture-replay
HasMemberVariantVariant301Reflection Attack in an Authentication Protocol
HasMemberVariantVariant302Authentication Bypass by Assumed-Immutable Data
HasMemberBaseBase303Incorrect Implementation of Authentication Algorithm
HasMemberBaseBase304Missing Critical Step in Authentication
HasMemberBaseBase305Authentication Bypass by Primary Weakness
HasMemberVariantVariant306Missing Authentication for Critical Function
HasMemberBaseBase307Improper Restriction of Excessive Authentication Attempts
HasMemberBaseBase308Use of Single-factor Authentication
HasMemberBaseBase322Key Exchange without Entity Authentication
HasMemberBaseBase521Weak Password Requirements
HasMemberVariantVariant593Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created
HasMemberBaseBase603Use of Client-Side Authentication
HasMemberVariantVariant620Unverified Password Change
HasMemberBaseBase640Weak Password Recovery Mechanism for Forgotten Password
HasMemberBaseBase798Use of Hard-coded Credentials
HasMemberBaseBase836Use of Password Hash Instead of Password for Authentication
HasMemberBaseBase916Use of Password Hash With Insufficient Computational Effort
+ References
[REF-9] Santos, J. C. S., Tarrit, K. and Mirakhorli, M.. "A Catalog of Security Architecture Weaknesses.". 2017 IEEE International Conference on Software Architecture (ICSA). 2017. <https://design.se.rit.edu/papers/cawe-paper.pdf>.
[REF-10] Santos, J. C. S., Peruma, A., Mirakhorli, M., Galster, M. and Sejfia, A.. "Understanding Software Vulnerabilities Related to Architectural Security Tactics: An Empirical Investigation of Chromium, PHP and Thunderbird.". pages 69 - 78. 2017 IEEE International Conference on Software Architecture (ICSA). 2017. <https://design.se.rit.edu/papers/TacticalVulnerabilities.pdf>.
+ Content History
Modifications
Modification DateModifierOrganizationSource
2017-07-25CWE Content TeamMITRE
New Entry

More information is available — Please select a different filter.
Page Last Updated: November 15, 2017