CWE - CWE-290: Authentication Bypass by Spoofing (Draft 9)

Home > CWE List > CWE-290 Individual Dictionary Definition (Draft 9)

CWE List
Full Dictionary View
Classification Tree
Reports

About
Sources
Process
Documents

Community
Related Activities
Discussion List
Research

News
Calendar
Free Newsletter

Compatibility
Program
Requirements
Declarations
Make a Declaration

Contact Us
Search the Site

Section Contents
CWE List
Full Dictionary View
Classification Tree
Reports
Other Items of Interest
Sources

Weaknesses in this attack-focused category are caused by improperly implemented authentication schemes that are subject to spoofing attacks. Resultant vuln from insufficient verification. 1000 Weakness ChildOf 592 Authentication bypass by spoofing 21 22 94 60 59 (CWE-290)

Key
- Weakness
- Base
- Variant
- Class
- Chain
- Composite
- Category
- View
- Deprecated

CWE-290 Individual Dictionary Definition (Draft 9)

Weakness ID

Status: Incomplete

290 (Weakness Base)

Description

Summary

Weaknesses in this attack-focused category are caused by improperly implemented authentication schemes that are subject to spoofing attacks.

Context Notes

Resultant vuln from insufficient verification.

Relationships

Nature	Type	ID	Name
ChildOf	Weakness Class	592	Authentication Bypass Issues
PeerOf	Weakness Variant	247	Reliance on DNS Lookups in a Security Decision
ParentOf	Weakness Variant	292	Trusting Self-reported DNS Name
ParentOf	Weakness Variant	293	Using Referer Field for Authentication
CanAlsoBe	Weakness Base	358	Improperly Implemented Security Check for Standard
PeerOf	Weakness Base	602	Design Principle Violation: Client-Side Enforcement of Server-Side Security
ParentOf	Compound Element: Composite	291	Trusting Self-reported IP Address

Source Taxonomies

PLOVER - Authentication bypass by spoofing

Related Attack Patterns

CAPEC-ID	Attack Pattern Name
21	Exploitation of Session Variables, Resource IDs and other Trusted Credentials
22	Exploiting Trust in Client (aka Make the Client Invisible)
94	Man in the Middle Attack
60	Reusing Session IDs (aka Session Replay)
59	Session Credential Falsification through Prediction

Page Last Updated: April 23, 2008


	CWE is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. This Web site is hosted by The MITRE Corporation. Copyright 2008, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us