|
Status: Draft Weakness ID: 603 (Weakness Base)Description Summary A client/server product performs authentication within client code but not in server code, allowing server-side authentication to be bypassed via a modified client that omits the authentication check. Extended Description Client-side authentication is extremely weak and may be breached easily. Any attacker may read the source code and reverse-engineer the authentication mechanism to access parts of the application which would otherwise be protected. Potential Mitigations Do not rely on client side data. Always perform server side authentication. Observed Examples
Other Notes Note that there is a close relationship between this weakness and CWE-656 (Reliance on Security through Obscurity). If developers do not believe that a user can reverse engineer a client, then they are more likely to choose client-side authentication in the belief that it is safe. Relationships
Taxonomy Mappings
Time of Introduction Architecture and Design ImplementationContent History Submissions Anonymous Tool Vendor (under NDA). (Externally Mined) Modifications Eric Dalci. Cigital. 2008-07-01. (External) updated Potential_Mitigations, Time_of_Introduction CWE Content Team. MITRE. 2008-09-08. (Internal) updated Description, Relationships, Observed_Example, Other_Notes, Taxonomy_Mappings Previous Entry Names Client-Side Authentication (changed 2008-04-11) |
|
|
|||