When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.
The following examples help to illustrate the nature of this weakness and describe methods or techniques which can be used to mitigate the risk.
Note that the examples here are by no means exhaustive and any given weakness may have many subtle varieties, each of which may require different detection methods or runtime controls.
The following code intends to ensure that the user is already logged in. If not, the code performs authentication with the user-provided username and password. If successful, it sets the loggedin and user cookies to "remember" that the user has already logged in. Finally, the code performs administrator tasks if the logged-in user has the "Administrator" username, as recorded in the user cookie.
Unfortunately, this code can be bypassed. The attacker can set the cookies independently so that the code does not check the username and password. The attacker could do this with an HTTP request containing headers such as:
By setting the loggedin cookie to "true", the attacker bypasses the entire authentication check. By using the "Administrator" value in the user cookie, the attacker also gains privileges to administer the software.
In January 2009, an attacker was able to gain administrator access to a Twitter server because the server did not restrict the number of login attempts. The attacker targeted a member of Twitter's support team and was able to successfully guess the member's password using a brute force with a large number of common words. After gaining access as the member of the support staff, the attacker used the administrator panel to gain access to 33 accounts that belonged to celebrities and politicians. Ultimately, fake Twitter messages were sent that appeared to come from the compromised accounts.
Weaknesses in this category are related to the A2 category in the OWASP Top Ten 2017.
Weaknesses in this category are related to the design and architecture of authentication components of the system. Frequently these deal with verifying the entity is i...
This category identifies Software Fault Patterns (SFPs) within the Authentication Bypass cluster.
This view (slice) covers all the elements in CWE.
CWE entries in this view are listed in the 2020 CWE Top 25 Most Dangerous Software Weaknesses.
CWE entries in this view are listed in the 2019 CWE Top 25 Most Dangerous Software Errors.