Missing Authentication for Critical Function
The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
The following examples help to illustrate the nature of this weakness and describe methods or techniques which can be used to mitigate the risk.
Note that the examples here are by no means exhaustive and any given weakness may have many subtle varieties, each of which may require different detection methods or runtime controls.
In the following Java example the method createBankAccount is used to create a BankAccount object for a bank management application.
However, there is no authentication mechanism to ensure that the user creating this bank account object has the authority to create new bank accounts. Some authentication mechanisms should be used to verify that the user has the authority to create bank account objects.
The following Java code includes a boolean variable and method for authenticating a user. If the user has not been authenticated then the createBankAccount will not create the bank account object.
Weaknesses in this category are related to authentication components of a system. Frequently these deal with the ability to verify that an entity is indeed who it clai...
Weaknesses in this category are related to the design and architecture of authentication components of the system. Frequently these deal with verifying the entity is i...
This category identifies Software Fault Patterns (SFPs) within the Missing Authentication cluster.
This view (slice) covers all the elements in CWE.
CWE entries in this view are listed in the 2020 CWE Top 25 Most Dangerous Software Weaknesses.
This view contains a selection of weaknesses that represent the variety of weaknesses that are captured in CWE, at a level of abstraction that is likely to be useful t...