Improper Authentication

When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

  • Source

    CWE Catalog - 4.7

  • Identifier

    CWE-287

  • Status

    Draft

Contents

Demonstrations

The following examples help to illustrate the nature of this weakness and describe methods or techniques which can be used to mitigate the risk.

Note that the examples here are by no means exhaustive and any given weakness may have many subtle varieties, each of which may require different detection methods or runtime controls.

Example One

The following code intends to ensure that the user is already logged in. If not, the code performs authentication with the user-provided username and password. If successful, it sets the loggedin and user cookies to "remember" that the user has already logged in. Finally, the code performs administrator tasks if the logged-in user has the "Administrator" username, as recorded in the user cookie.

my $q = new CGI;

if ($q->cookie('loggedin') ne "true") {

  if (! AuthenticateUser($q->param('username'), $q->param('password'))) {
    ExitError("Error: you need to log in first");
  }
  else {

    # Set loggedin and user cookies.
    $q->cookie(
      -name => 'loggedin',
      -value => 'true'
      );

    $q->cookie(
      -name => 'user',
      -value => $q->param('username')
      );


  }

}

if ($q->cookie('user') eq "Administrator") {
  DoAdministratorTasks();
}

Unfortunately, this code can be bypassed. The attacker can set the cookies independently so that the code does not check the username and password. The attacker could do this with an HTTP request containing headers such as:

GET /cgi-bin/vulnerable.cgi HTTP/1.1
Cookie: user=Administrator
Cookie: loggedin=true

[body of request]

By setting the loggedin cookie to "true", the attacker bypasses the entire authentication check. By using the "Administrator" value in the user cookie, the attacker also gains privileges to administer the software.

Example Two

In January 2009, an attacker was able to gain administrator access to a Twitter server because the server did not restrict the number of login attempts. The attacker targeted a member of Twitter's support team and was able to successfully guess the member's password using a brute force attack by guessing a large number of common words. After gaining access as the member of the support staff, the attacker used the administrator panel to gain access to 33 accounts that belonged to celebrities and politicians. Ultimately, fake Twitter messages were sent that appeared to come from the compromised accounts.

See Also

OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures

Weaknesses in this category are related to the A07 category "Identification and Authentication Failures" in the OWASP Top Ten 2021.

OWASP Top Ten 2017 Category A2 - Broken Authentication

Weaknesses in this category are related to the A2 category in the OWASP Top Ten 2017.

Authenticate Actors

Weaknesses in this category are related to the design and architecture of authentication components of the system. Frequently these deal with verifying the entity is i...

Comprehensive CWE Dictionary

This view (slice) covers all the elements in CWE.

Weaknesses in the 2020 CWE Top 25 Most Dangerous Software Weaknesses

CWE entries in this view are listed in the 2020 CWE Top 25 Most Dangerous Software Weaknesses.

Weaknesses in the 2021 CWE Top 25 Most Dangerous Software Weaknesses

CWE entries in this view are listed in the 2021 CWE Top 25 Most Dangerous Software Weaknesses.

Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.