CWE - CWE-602: Client-Side Enforcement of Server-Side Security (1.6)

Home > CWE List > CWE- Individual Dictionary Definition (1.6)

CWE List
Full Dictionary View
Development View
Research View
Reports

About
Sources
Process
Documents

Community
Related Activities
Discussion List
Research
CWE/SANS Top 25
CWSS

News
Calendar
Free Newsletter

Compatibility
Program
Requirements
Declarations
Make a Declaration

Contact Us
Search the Site

CWE-602: Client-Side Enforcement of Server-Side Security

Client-Side Enforcement of Server-Side Security

Weakness ID: 602 (Weakness Base)

Status: Draft

Description

Description Summary

The software is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.

Extended Description

When the server relies on protection mechanisms placed on the client side, an attacker can modify the client-side behavior to bypass the protection mechanisms resulting in potentially unexpected interactions between the client and server. The consequences will vary, depending on what the mechanisms are trying to protect.

Time of Introduction

Architecture and Design

Applicable Platforms

Languages

All

Architectural Paradigms

Client-Server: (Sometimes)

Common Consequences

Scope	Effect
Integrity	Client-side validation checks can be easily bypassed, allowing malformed or unexpected input to pass into the application, potentially as trusted data. This may lead to unexpected states, behaviors and possibly a resulting crash.
Access Control	Client-side checks for authentication can be easily bypassed, allowing clients to escalate their access levels and perform unintended actions.

Likelihood of Exploit

Medium

Enabling Factors for Exploitation

Consider a product that consists of two or more processes or nodes that must interact closely, such as a client/server model. If the product uses protection schemes in the client in order to defend from attacks against the server, and the server does not use the same schemes, then an attacker could modify the client in a way that bypasses those schemes. This is a fundamental design flaw that is primary to many weaknesses.

Demonstrative Examples

Example 1

This example contains client-side code that checks if the user authenticated successfully before sending a command. The server-side code performs the authentication in one step, and executes the command in a separate step.

CLIENT-SIDE (client.pl)

(Good Code)

Perl

$server = "server.example.com";

$username = AskForUserName();

$password = AskForPassword();

$address = AskForAddress();

$sock = OpenSocket($server, 1234);

writeSocket($sock, "AUTH $username $password\n");

$resp = readSocket($sock);

if ($resp eq "success") {

# username/pass is valid, go ahead and update the info!

writeSocket($sock, "CHANGE-ADDRESS $username $address\n";

}

else {

print "ERROR: Invalid Authentication!\n";

}

SERVER-SIDE (server.pl):

(Bad Code)

$sock = acceptSocket(1234);

($cmd, $args) = ParseClientRequest($sock);

if ($cmd eq "AUTH") {

($username, $pass) = split(/\s+/, $args, 2);

$result = AuthenticateUser($username, $pass);

writeSocket($sock, "$result\n");

# does not close the socket on failure; assumes the

# user will try again

}

elsif ($cmd eq "CHANGE-ADDRESS") {

if (validateAddress($args)) {

$res = UpdateDatabaseRecord($username, "address", $args);

writeSocket($sock, "SUCCESS\n");

}

else {

writeSocket($sock, "FAILURE -- address is malformed\n");

}

The server accepts 2 commands, "AUTH" which authenticates the user, and "CHANGE-ADDRESS" which updates the address field for the username. The client performs the authentication and only sends a CHANGE-ADDRESS for that user if the authentication succeeds. Because the client has already performed the authentication, the server assumes that the username in the CHANGE-ADDRESS is the same as the authenticated user. An attacker could modify the client by removing the code that sends the "AUTH" command and simply executing the CHANGE-ADDRESS.

Observed Examples

Reference	Description
CVE-2006-6994	ASP program allows upload of .asp files by bypassing client-side checks.
CVE-2007-0163	steganography products embed password information in the carrier file, which can be extracted from a modified client.
CVE-2007-0164	steganography products embed password information in the carrier file, which can be extracted from a modified client.
CVE-2007-0100	client allows server to modify client's configuration and overwrite arbitrary files.

Potential Mitigations

Phase	Description
Architecture and Design	For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. Even though client-side checks provide minimal benefits with respect to server-side security, they are still useful. First, they can support intrusion detection. If the server receives input that should have been rejected by the client, then it may be an indication of an attack. Second, client-side error-checking can provide helpful feedback to the user about the expectations for valid input. Third, there may be a reduction in server-side processing time for accidental input errors, although this is typically a small savings.
Architecture and Design	If some degree of trust is required between the two entities, then use integrity checking and strong authentication to ensure that the inputs are coming from a trusted source. Design the product so that this trust is managed in a centralized fashion, especially if there are complex or numerous communication channels, in order to reduce the risks that the implementer will mistakenly omit a check in a single code path.
Testing	Use dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.
Testing	Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.

Weakness Ordinalities

Ordinality	Description
Primary	(where the weakness exists independent of other weaknesses)

Relationships

Nature	Type	ID	Name	View(s) this relationship pertains to
ChildOf	Category	254	Security Features	Development Concepts (primary)699
PeerOf	Weakness Base	290	Authentication Bypass by Spoofing	Research Concepts1000
PeerOf	Weakness Class	300	Channel Accessible by Non-Endpoint ('Man-in-the-Middle')	Research Concepts1000
CanPrecede	Weakness Base	471	Modification of Assumed-Immutable Data (MAID)	Research Concepts1000
ChildOf	Weakness Class	669	Incorrect Resource Transfer Between Spheres	Research Concepts (primary)1000
ChildOf	Weakness Class	693	Protection Mechanism Failure	Research Concepts1000
ChildOf	Category	722	OWASP Top Ten 2004 Category A1 - Unvalidated Input	Weaknesses in OWASP Top Ten (2004) (primary)711
ChildOf	Category	753	Porous Defenses	Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors (primary)750
ParentOf	Weakness Base	565	Reliance on Cookies without Validation and Integrity Checking	Research Concepts1000
ParentOf	Weakness Base	603	Use of Client-Side Authentication	Research Concepts (primary)1000

Research Gaps

Server-side enforcement of client-side security is conceptually likely to occur, but some architectures might have these strong dependencies as part of legitimate behavior, such as thin clients.

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Fit	Mapped Node Name
OWASP Top Ten 2004	A1	CWE More Specific	Unvalidated Input

Related Attack Patterns

CAPEC-ID	Attack Pattern Name	(CAPEC Version: 1.4)
21	Exploitation of Session Variables, Resource IDs and other Trusted Credentials
31	Accessing/Intercepting/Modifying HTTP Cookies
122	Exploitation of Authorization
162	Manipulating hidden fields to change the normal flow of transactions (eShoplifting)
202	Create Malicious Client
207	Removing Important Functionality from the Client
208	Removing/short-circuiting 'Purse' logic: removing/mutating 'cash' decrements

Content History

Modifications
Modification Date	Modifier	Organization	Source
2008-07-01	Eric Dalci	Cigital	External
2008-07-01	updated Time of Introduction
2008-09-08	CWE Content Team	MITRE	Internal
2008-09-08	updated Relationships, Other Notes, Taxonomy Mappings, Weakness Ordinalities
2009-01-12	CWE Content Team	MITRE	Internal
2009-01-12	updated Demonstrative Examples, Description, Likelihood of Exploit, Name, Observed Examples, Other Notes, Potential Mitigations, Relationships, Research Gaps, Time of Introduction
2009-03-10	CWE Content Team	MITRE	Internal
2009-03-10	updated Potential Mitigations
2009-05-27	CWE Content Team	MITRE	Internal
2009-05-27	updated Demonstrative Examples
2009-07-27	CWE Content Team	MITRE	Internal
2009-07-27	updated Related Attack Patterns, Relationships
2009-10-29	CWE Content Team	MITRE	Internal
2009-10-29	updated Applicable Platforms, Common Consequences, Description

Page Last Updated: October 29, 2009


	CWE is a Software Assurance strategic initiative sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. This Web site is hosted by The MITRE Corporation. Copyright 2009, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us