CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.7)  

Presentation Filter:

CWE-603: Use of Client-Side Authentication

 
Use of Client-Side Authentication
Weakness ID: 603 (Weakness Base)Status: Draft
+ Description

Description Summary

A client/server product performs authentication within client code but not in server code, allowing server-side authentication to be bypassed via a modified client that omits the authentication check.

Extended Description

Client-side authentication is extremely weak and may be breached easily. Any attacker may read the source code and reverse-engineer the authentication mechanism to access parts of the application which would otherwise be protected.

+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Common Consequences
ScopeEffect

Technical Impact: Bypass protection mechanism; Gain privileges / assume identity

+ Observed Examples
ReferenceDescription
Client-side check for a password allows access to a server using crafted XML requests from a modified client.
+ Potential Mitigations

Phase: Architecture and Design

Do not rely on client side data. Always perform server side authentication.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class287Improper Authentication
Development Concepts (primary)699
Research Concepts1000
ChildOfWeakness BaseWeakness Base602Client-Side Enforcement of Server-Side Security
Research Concepts (primary)1000
ChildOfCategoryCategory898SFP Cluster: Authentication
Software Fault Pattern (SFP) Clusters (primary)888
PeerOfWeakness ClassWeakness Class300Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
Research Concepts1000
PeerOfWeakness ClassWeakness Class592Authentication Bypass Issues
Research Concepts1000
+ References
[REF-7] Mark Dowd, John McDonald and Justin Schuh. "The Art of Software Security Assessment". Chapter 2, "Untrustworthy Credentials", Page 37.. 1st Edition. Addison Wesley. 2006.
+ Maintenance Notes

Note that there is a close relationship between this weakness and CWE-656 (Reliance on Security through Obscurity). If developers do not believe that a user can reverse engineer a client, then they are more likely to choose client-side authentication in the belief that it is safe.

+ Content History
Submissions
Submission DateSubmitterOrganizationSource
Externally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01CigitalExternal
updated Potential_Mitigations, Time_of_Introduction
2008-09-08MITREInternal
updated Description, Relationships, Observed_Example, Other_Notes, Taxonomy_Mappings
2011-06-01MITREInternal
updated Common_Consequences, Maintenance_Notes, Other_Notes
2012-05-11MITREInternal
updated References, Relationships
2012-10-30MITREInternal
updated Potential_Mitigations
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Client-Side Authentication
Page Last Updated: June 23, 2014