Comprehensive Categorization: Access Control

Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource making them an easy target for attac...

Configuring an ASP.NET application to run with impersonated credentials may give the application unnecessary privileges.

The product performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all ...

The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.

A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it t...

The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

A product requires authentication, but the product has an alternate path or channel that does not require authentication.

The product modifies the SSL context after connection creation has begun.

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be contr...

The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a...

The CPU is not configured to provide hardware support for exclusivity of write and execute operations on memory. This allows an attacker to execute data from all of me...

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

Using an empty string as a password is insecure.

When trying to keep information confidential, an attacker can often infer some of the information by using statistics.

The product prevents direct access to a resource containing sensitive information, but it does not sufficiently limit access to metadata that is derived from the origi...

The address map of the on-chip fabric has protected and unprotected regions overlapping, allowing an attacker to bypass access control to the overlapping portion of th...

The product implements a Security Token mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Se...

The product uses a CAPTCHA challenge, but the challenge can be guessed or automatically recognized by a non-human actor.

During runtime, the hardware allows for test or debug logic (feature) to be activated, which allows for changing the state of the hardware. This feature can alter the ...

Signals between a hardware IP and the parent system design are incorrectly connected causing security risks.

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Aliased or mirrored memory regions in hardware designs may have inconsistent read/write permissions enforced by the hardware. A possible result is that an untrusted ag...

The product uses memory-mapped I/O registers that act as an interface to hardware functionality from software, but there is improper access control to those registers.

The product conducts a secure-boot process that transfers bootloader code from Non-Volatile Memory (NVM) into Volatile Memory (VM), but it does not have sufficient acc...

The product uses a fabric bridge for transactions between two Intellectual Property (IP) blocks, but the bridge does not properly perform the expected privilege, ident...

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

The product uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme.

The product creates a search index of private or sensitive documents, but it does not properly limit index access to actors who are authorized to see the original info...

The product does not validate, or incorrectly validates, a certificate.

The product does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a certificate that has been compromised.

The product attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded.

The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the dat...

The product does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resou...

The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may...

The product does not handle or incorrectly handles when it has insufficient privileges to perform an operation, leading to resultant weaknesses.

The product allows address regions to overlap, which can result in the bypassing of intended memory protection.

Trace data collected from several sources on the System-on-Chip (SoC) is stored in unprotected locations or transported to untrusted ag...

The product assigns the wrong ownership, or does not properly verify the ownership, of an object or resource.

The product is designed with access restricted to certain information, but it does not sufficiently protect against an unauthorized actor with physical access to these...

The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restricti...

The product uses a trusted lock bit for restricting access to registers, address regions, or other resources, but the product does not prevent the value of the lock bi...

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Untrusted agents can disable alerts about signal conditions exceeding limits or the response mechanism that handles such alerts.

The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicati...

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute fo...

The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusio...

The System-On-A-Chip (SoC) implements a Security Token mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. ...

The product provides software-controllable device functionality for capabilities such as power and clock management, but it does not properly limit functional...

The hardware design control register "sticky bits" or write-once bit fields are improperly implemented, such that they can be reprogrammed by software.

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product ...

The bus controller enables bits in the fabric end-point to allow responder devices to control transactions on the fabric.

The bridge incorrectly translates security attributes from either trusted to untrusted or from untrusted to trusted when converting from one fabric protocol to another.

A certificate expiration is not validated or is incorrectly validated, so trust may be assigned to certificates that have been abandoned due to age.

The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host.

The Android application uses a Broadcast Receiver that receives an Intent but does not properly verify that the Intent came from an authorized source.

The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is ...

The product performs a power save/restore operation, but it does not ensure that the integrity of the configuration state is maintained and/or ...

The device includes chicken bits or undocumented features that can create entry points for unauthorized actors.

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows ...

If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.

The product's debug components contain incorrect chaining or granularity of debug components.

The product implements a conversion mechanism to map certain bus-transaction signals to security identifiers. However, if the conversion is incorrectly implemented, un...

The product implements a decoding mechanism to decode certain bus-transaction signals to security identifiers. If the decoding is implemented incorrectly, then untrust...

During installation, installed file permissions are set to allow anyone to modify those files.

While it is executing, the product sets the permissions of an object in a way that violates the intended permissions that have been specified by the user.

The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect.

The product assigns an owner to a resource, but the owner is outside of the intended control sphere.

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

The product does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the f...

The product does not properly manage a user within its environment.

The product creates a communication channel to initiate an outgoing request to an actor, but it does not correctly specify the intended destination for that actor.

A product defines a set of insecure permissions that are inherited by objects that are created by the program.

A product inherits a set of insecure permissions for an object, e.g. when copying from an archive file, without user awareness or involvement.

The System-on-Chip (SoC) implements a Security Identifier mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entit...

The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system fro...

The product defines a large address region protected from modification by the same register lock control bit. This results in a conflict between the functional require...

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

The product uses physical debug or test interfaces with support for multiple access levels, but it assigns the wrong debug access level to an internal ...

The J2EE application stores a plaintext password in a configuration file.

If elevated access rights are assigned to EJB methods, then an attacker can take advantage of the permissions to exploit the product.

The product performs a key exchange with an actor without verifying the identity of that actor.

The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed.

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

The product does not check the revocation status of a certificate after its initial revocation check, which can cause the product to perform privileged actions even af...

The product implements an authentication technique, but it skips a step that weakens the technique.

The product does not mask passwords during entry, increasing the potential for attackers to observe and capture passwords.

The firewall in an on-chip fabric protects the main addressed region, but it does not protect any mirrored memory or memory-mapped-IO (MMIO) regions.

The lack of protections on alternate paths to access control-protected assets (such as unprotected shadow registers and other external ...

The product implements a security identifier mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. A transact...

The product uses OpenSSL and trusts or uses a certificate without using the SSL_get_verify_result() function to ensure that the certificate satisfies all necessary sec...

The device does not write-protect the parametric data values for sensors that scale the sensor value, allowing untrusted software to manipulate the apparent result and...

The register contents used for attestation or measurement reporting data to verify boot flow are modifiable by an adversary.

Allowing a .NET application to run at potentially escalated levels of access to the underlying operating and file systems can be dangerous and result in various forms ...

The product does not have a mechanism in place for managing password aging.

The chip does not implement or does not correctly perform access control to check whether users are authorized to access internal registers and test modes through the ...

The product contains an account lockout protection mechanism, but the mechanism is too restrictive and can be triggered too easily, which allows attackers to deny serv...

The product supports password aging, but the expiration period is too long.

The product stores a password in a configuration file that might be accessible to actors who do not know the password.

The product uses a cross-domain policy file that includes domains that should not be trusted.

The product or the administrator places a user into an incorrect group.

Storing a password in plaintext may result in a system compromise.

The product's hardware-enforced access control for a particular resource improperly accounts for privilege discrepancies between control and write policies.

The product uses an obsolete encoding mechanism to implement access controls.

Two distinct privileges, roles, capabilities, or rights can be combined in a way that allows an entity to perform unsafe actions that would not be allowed without that...

The product does not properly manage privileges while it is switching between different contexts that have different privileges or spheres of control.

A particular privilege, role, capability, or right can be used to perform unsafe actions that were not intended, even when it is assigned to the correct entity.

The product does not drop privileges before passing control of a resource to an actor that does not have those privileges.

The product opens an alternate channel to communicate with an authorized user, but the channel is accessible to other actors.

Simple authentication protocols are subject to reflection attacks if a malicious user can use the target machine to impersonate a trusted user.

The product uses an IP address for authentication.

The product performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address i...

Security-version number in hardware is mutable, resulting in the ability to downgrade (roll-back) the boot firmware to vulnerable code versions.

The product uses a register lock bit protection mechanism, but it does not ensure that the lock bit prevents modification of system registers or controls that perform ...

The SameSite attribute for sensitive cookies is not set, or an insecure value is used.

The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.

Access to security-sensitive information stored in fuses is not limited during debug.

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the reques...

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal au...

The product stores sensitive information in a file system or device that does not have built-in access control.

The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypte...

An unauthorized agent can inject errors into a redundant block to deprive the system of redundancy or put the system in a degraded operating mode.

The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request bef...

The product protects a primary channel, but it does not use the same level of protection for an alternate channel.

The product does not adequately protect confidential information on the device from being accessed by Outsourced Semiconductor Assembly and Test (OSAT) vendors.

The product uses a primary channel for administration or restricted functionality, but it does not properly protect the channel.

Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.

The product does not properly verify the source of a message in the Windows Messaging System while running at elevated privileges, creating an alternate channel throug...

An ActiveX control is intended for restricted use, but it has been marked as safe-for-scripting.

The product does not properly verify that a critical resource is owned by the proper entity.

When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.

A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

A client/server product performs authentication within client code but not in server code, allowing server-side authentication to be bypassed via a modified client tha...

The product uses default credentials (such as passwords or cryptographic keys) for potentially critical functionality.

The product uses a default cryptographic key for potentially critical functionality.

The product uses default passwords for potentially critical functionality.

The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to exter...

The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.

The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.

The Android application uses an implicit intent for transmitting sensitive data to other applications.

The product defines policy namespaces and makes authorization decisions based on the assumption that a URL is canonical. This can allow a non-canonical URL to bypass t...

The product records password hashes in a data store, receives a hash of a password from a client, and compares the supplied hash to the hash obtained from the data store.

The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism.

The use of single-factor authentication can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme.

The product uses weak credentials (such as a default key or hard-coded password) that can be calculated, derived, reused, or guessed by an attacker.

The web application produces links to untrusted external sites outside of its sphere of control, but it does not properly prevent the external site from modifying sec...

The referer field in HTTP requests can be easily modified and, as such, is not a valid means of message integrity checking.

The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identit...

Obscuring a password with a trivial encoding does not protect the password.

The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.

This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using ta...