CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.7)  

Presentation Filter:

CWE-304: Missing Critical Step in Authentication

 
Missing Critical Step in Authentication
Weakness ID: 304 (Weakness Base)Status: Draft
+ Description

Description Summary

The software implements an authentication technique, but it skips a step that weakens the technique.

Extended Description

Authentication techniques should follow the algorithms that define them exactly, otherwise authentication can be bypassed or more easily subjected to brute force attacks.

+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms

Languages

All

+ Common Consequences
ScopeEffect

Technical Impact: Bypass protection mechanism; Gain privileges / assume identity; Read application data; Execute unauthorized code or commands

This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or allowing attackers to execute arbitrary code.

+ Observed Examples
ReferenceDescription
Shared secret not verified in a RADIUS response packet, allowing authentication bypass by spoofing server replies.
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class287Improper Authentication
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class573Improper Following of Specification by Caller
Research Concepts (primary)1000
ChildOfCategoryCategory724OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management
Weaknesses in OWASP Top Ten (2004) (primary)711
ChildOfCategoryCategory898SFP Cluster: Authentication
Software Fault Pattern (SFP) Clusters (primary)888
MemberOfViewView884CWE Cross-section
CWE Cross-section (primary)884
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERMissing Critical Step in Authentication
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
Externally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01CigitalExternal
updated Time_of_Introduction
2008-09-08MITREInternal
updated Relationships, Taxonomy_Mappings
2008-10-14MITREInternal
updated Description
2009-03-10MITREInternal
updated Relationships
2011-06-01MITREInternal
updated Common_Consequences
2012-05-11MITREInternal
updated Common_Consequences, Relationships
2014-02-18MITREInternal
updated Relationships
Page Last Updated: June 23, 2014