CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.7)  

Presentation Filter:

CWE-836: Use of Password Hash Instead of Password for Authentication

 
Use of Password Hash Instead of Password for Authentication
Weakness ID: 836 (Weakness Base)Status: Incomplete
+ Description

Description Summary

The software records password hashes in a data store, receives a hash of a password from a client, and compares the supplied hash to the hash obtained from the data store.

Extended Description

Some authentication mechanisms rely on the client to generate the hash for a password, possibly to reduce load on the server or avoid sending the password across the network. However, when the client is used to generate the hash, an attacker can bypass the authentication by obtaining a copy of the hash, e.g. by using SQL injection to compromise a database of authentication credentials, or by exploiting an information exposure. The attacker could then use a modified client to replay the stolen hash without having knowledge of the original password.

As a result, the server-side comparison against a client-side hash does not provide any more security than the use of passwords without hashing.

+ Applicable Platforms

Languages

Language-independent

+ Common Consequences
ScopeEffect

Technical Impact: Bypass protection mechanism; Gain privileges / assume identity

An attacker could bypass the authentication routine without knowing the original password.

+ Observed Examples
ReferenceDescription
Product performs authentication with user-supplied password hashes that can be obtained from a separate SQL injection vulnerability (CVE-2009-1282).
Product allows attackers to bypass authentication by obtaining the password hash for another user and specifying the hash in the pwd argument.
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class287Improper Authentication
Development Concepts (primary)699
Research Concepts (primary)1000
PeerOfWeakness BaseWeakness Base602Client-Side Enforcement of Server-Side Security
Research Concepts1000
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
2011-03-22MITREInternal CWE Team
Modifications
Modification DateModifierOrganizationSource
2011-06-01MITREInternal
updated Common_Consequences
2012-10-30MITREInternal
updated Observed_Examples
Page Last Updated: June 23, 2014