Authentication Bypass Using an Alternate Path or Channel
Weakness ID: 288 (Weakness Base)Status: Incomplete
+ Description

Description Summary

A product requires authentication, but the product has an alternate path or channel that does not require authentication.
+ Time of Introduction
  • Architecture and Design
+ Applicable Platforms



+ Modes of Introduction

This is often seen in web applications that assume that access to a particular CGI program can only be obtained through a "front" screen, when the supporting programs are directly accessible. But this problem is not just in web apps.

+ Observed Examples
CVE-1999-1454Attackers with physical access to the machine may bypass the password prompt by pressing the ESC (Escape) key.
CVE-2003-0304Direct request of installation file allows attacker to create administrator accounts.
CVE-2002-0870Attackers may gain additional privileges by directly requesting the web management URL.
CVE-2002-0066Bypass authentication via direct request to named pipe.
CVE-2003-1035User can avoid lockouts by using an API instead of the GUI to conduct brute force password guessing.
+ Potential Mitigations

Funnel all access through a single choke point to simplify how users can access a resource. For every access, perform a check to determine if the user has permissions to access the resource.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class592Authentication Bypass Issues
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfCategoryCategory721OWASP Top Ten 2007 Category A10 - Failure to Restrict URL Access
Weaknesses in OWASP Top Ten (2007) (primary)629
PeerOfWeakness BaseWeakness Base420Unprotected Alternate Channel
Research Concepts1000
PeerOfWeakness BaseWeakness Base425Direct Request ('Forced Browsing')
Research Concepts1000
+ Relationship Notes

overlaps Unprotected Alternate Channel

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERAuthentication Bypass by Alternate Path/Channel
OWASP Top Ten 2007A10CWE More SpecificFailure to Restrict URL Access
+ Related Attack Patterns
CAPEC-IDAttack Pattern Name
(CAPEC Version: 1.4)
56Removing/short-circuiting 'guard logic'
+ Content History
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modification DateModifierOrganizationSource
2008-09-08CWE Content TeamMITREInternal
updated Description, Modes of Introduction, Name, Relationships, Observed Example, Relationship Notes, Taxonomy Mappings, Type
2008-11-24CWE Content TeamMITREInternal
updated Observed Examples
Previous Entry Names
Change DatePrevious Entry Name
2008-09-09Authentication Bypass by Alternate Path/Channel