Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.11)  

CWE-603: Use of Client-Side Authentication

Weakness ID: 603
Abstraction: Base
Status: Draft
Presentation Filter:
+ Description

Description Summary

A client/server product performs authentication within client code but not in server code, allowing server-side authentication to be bypassed via a modified client that omits the authentication check.

Extended Description

Client-side authentication is extremely weak and may be breached easily. Any attacker may read the source code and reverse-engineer the authentication mechanism to access parts of the application which would otherwise be protected.

+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Common Consequences
Access Control

Technical Impact: Bypass protection mechanism; Gain privileges / assume identity

+ Observed Examples
Client-side check for a password allows access to a server using crafted XML requests from a modified client.
+ Potential Mitigations

Phase: Architecture and Design

Do not rely on client side data. Always perform server side authentication.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class287Improper Authentication
Development Concepts (primary)699
Research Concepts1000
ChildOfWeakness BaseWeakness Base602Client-Side Enforcement of Server-Side Security
Research Concepts (primary)1000
ChildOfCategoryCategory947SFP Secondary Cluster: Authentication Bypass
Software Fault Pattern (SFP) Clusters (primary)888
PeerOfWeakness ClassWeakness Class300Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
Research Concepts1000
+ References
[REF-7] Mark Dowd, John McDonald and Justin Schuh. "The Art of Software Security Assessment". Chapter 2, "Untrustworthy Credentials", Page 37.. 1st Edition. Addison Wesley. 2006.
+ Maintenance Notes

Note that there is a close relationship between this weakness and CWE-656 (Reliance on Security through Obscurity). If developers do not believe that a user can reverse engineer a client, then they are more likely to choose client-side authentication in the belief that it is safe.

+ Content History
Submission DateSubmitterOrganizationSource
Anonymous Tool Vendor (under NDA)Externally Mined
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Potential_Mitigations, Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Description, Relationships, Observed_Example, Other_Notes, Taxonomy_Mappings
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences, Maintenance_Notes, Other_Notes
2012-05-11CWE Content TeamMITREInternal
updated References, Relationships
2012-10-30CWE Content TeamMITREInternal
updated Potential_Mitigations
2014-07-30CWE Content TeamMITREInternal
updated Relationships
2017-05-03CWE Content TeamMITREInternal
updated Relationships
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Client-Side Authentication

More information is available — Please select a different filter.
Page Last Updated: May 05, 2017