Category: Authenticate Actors
Draft
Summary
Weaknesses in this category are related to the design and architecture of authentication components of the system. Frequently these deal with verifying the entity is indeed who it claims to be. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-258 | Empty Password in Configuration File | This vulnerability occurs when a configuration file, script, or application uses an empty string as a password, effectively disabling authentication for a service or account. |
| CWE-259 | Use of Hard-coded Password | This vulnerability occurs when an application embeds a password directly into its source code or configuration files. This hard-coded secret is then used either to authenticate incoming users or to connect to external services and databases. |
| CWE-262 | Not Using Password Aging | This vulnerability occurs when a system lacks password expiration policies, allowing users to keep the same password indefinitely. |
| CWE-263 | Password Aging with Long Expiration | The system enforces password changes, but the time allowed between changes is excessively long, weakening security. |
| CWE-287 | Improper Authentication | Improper Authentication occurs when a system fails to properly verify a user's claimed identity, allowing access without sufficient proof of who they are. |
| CWE-288 | Authentication Bypass Using an Alternate Path or Channel | This vulnerability occurs when a system has a primary login requirement, but attackers can find an unprotected backdoor or alternative route that completely bypasses those checks. |
| CWE-289 | Authentication Bypass by Alternate Name | This vulnerability occurs when a system checks access based on a resource or user name, but fails to account for all the different names or aliases that could refer to the same entity, allowing attackers to bypass authentication. |
| CWE-290 | Authentication Bypass by Spoofing | This weakness occurs when an application's authentication system can be tricked into accepting forged or manipulated credentials, allowing unauthorized access without proper verification. |
| CWE-291 | Reliance on IP Address for Authentication | This vulnerability occurs when a system uses a client's IP address as the sole or primary method to verify their identity. |
| CWE-293 | Using Referer Field for Authentication | This vulnerability occurs when a web application uses the HTTP Referer header as a sole or primary method for authentication or authorization decisions. Since this header is entirely controlled by the user's browser or client and can be easily forged, it provides no reliable security. |
| CWE-294 | Authentication Bypass by Capture-replay | This vulnerability occurs when an attacker can intercept and record legitimate authentication traffic, then replay it later to gain unauthorized access. The system accepts the replayed data as valid, effectively bypassing normal authentication checks. |
| CWE-301 | Reflection Attack in an Authentication Protocol | A reflection attack is a flaw in mutual authentication protocols that allows an attacker to impersonate a legitimate user without knowing the secret key. This happens when an attacker can bounce, or 'reflect,' a server's own challenge back to it using a second connection, tricking the system into granting access. |
| CWE-302 | Authentication Bypass by Assumed-Immutable Data | This vulnerability occurs when an authentication system incorrectly treats certain data as unchangeable, when in fact an attacker can manipulate it to bypass login or verification checks. |
| CWE-303 | Incorrect Implementation of Authentication Algorithm | This weakness occurs when a developer implements a standard authentication algorithm, but makes critical mistakes in the code that cause it to function incorrectly. |
| CWE-304 | Missing Critical Step in Authentication | This vulnerability occurs when a software authentication process omits a required step, weakening its overall security. |
| CWE-305 | Authentication Bypass by Primary Weakness | This vulnerability occurs when a system's core authentication logic is technically correct, but an attacker can completely bypass it by exploiting a separate, more fundamental flaw in the application. |
| CWE-306 | Missing Authentication for Critical Function | This vulnerability occurs when a software feature that performs a sensitive action or uses significant system resources does not verify the user's identity before executing. Attackers can exploit this to trigger critical functions without any credentials. |
| CWE-307 | Improper Restriction of Excessive Authentication Attempts | This vulnerability occurs when an application fails to properly limit how many times someone can attempt to log in or verify their identity in rapid succession, allowing attackers to systematically guess credentials. |
| CWE-308 | Use of Single-factor Authentication | Relying solely on single-factor authentication, like a password, exposes systems to significant security risks because it depends on only one type of proof for verifying a user's identity. |
| CWE-322 | Key Exchange without Entity Authentication | This vulnerability occurs when a system establishes a cryptographic key with another party without first confirming that party's true identity. |
| CWE-521 | Weak Password Requirements | This vulnerability occurs when an application fails to enforce strong password policies, making user accounts easier to compromise through guessing or automated attacks. |
| CWE-593 | Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created | This vulnerability occurs when an application modifies an OpenSSL context object after it has already been used to create active SSL/TLS connections. |
| CWE-603 | Use of Client-Side Authentication | This vulnerability occurs when an application places its authentication logic solely within the client-side code, such as in a mobile app or web browser, without enforcing the same checks on the server. Attackers can bypass authentication by modifying the client to skip these checks entirely. |
| CWE-620 | Unverified Password Change | This vulnerability occurs when an application allows a user to set a new password without first verifying their identity through the old password or a secure secondary authentication method. |
| CWE-640 | Weak Password Recovery Mechanism for Forgotten Password | This vulnerability occurs when an application's password reset or recovery feature is poorly designed or implemented, allowing attackers to bypass authentication and hijack user accounts. |
| CWE-798 | Use of Hard-coded Credentials | This vulnerability occurs when software contains built-in, unchangeable authentication secrets like passwords or encryption keys within its source code or configuration files. |
| CWE-836 | Use of Password Hash Instead of Password for Authentication | This vulnerability occurs when an application's authentication system accepts a password hash directly from the client for verification, instead of receiving and hashing the plaintext password on the server. |
| CWE-916 | Use of Password Hash With Insufficient Computational Effort | This vulnerability occurs when a system protects passwords by hashing them, but uses a hashing algorithm that is too fast or computationally cheap. This makes it easy for attackers to crack the stored password hashes using brute-force methods. |
| CWE-1008 | Architectural Concepts | This view organizes weaknesses according to common architectural security tactics. It is intended to assist architects in identifying potential mistakes that can be made when designing software. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.