Authentication Bypass by Spoofing |
Weakness ID: 290 (Weakness Base) | Status: Incomplete |
Description Summary
This attack-focused weakness is caused by improperly implemented authentication schemes that are subject to spoofing attacks.
Example 1
Here, an authentication mechanism implemented in Java relies on an IP address for source validation. If an attacker is able to spoof the IP, however, he may be able to bypass such an authentication mechanism.
(Bad Code)
Example Language: Java
String sourceIP = request.getRemoteAddr();
if (sourceIP != null && sourceIP.equals(APPROVED_IP)) {
authenticated = true;
}
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Weakness Class | 592 | Authentication Bypass Issues | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Compound Element: Composite | 291 | Trusting Self-reported IP Address | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 292 | Trusting Self-reported DNS Name | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 293 | Using Referer Field for Authentication | Development Concepts (primary)699 Research Concepts (primary)1000 |
PeerOf | Weakness Variant | 247 | Reliance on DNS Lookups in a Security Decision | Research Concepts1000 |
PeerOf | Weakness Base | 602 | Client-Side Enforcement of Server-Side Security | Research Concepts1000 |
CanAlsoBe | Weakness Base | 358 | Improperly Implemented Security Check for Standard | Research Concepts1000 |
Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
---|---|---|---|
PLOVER | Authentication bypass by spoofing |
CAPEC-ID | Attack Pattern Name | (CAPEC Version: 1.4) |
---|---|---|
21 | Exploitation of Session Variables, Resource IDs and other Trusted Credentials | |
22 | Exploiting Trust in Client (aka Make the Client Invisible) | |
94 | Man in the Middle Attack | |
59 | Session Credential Falsification through Prediction | |
60 | Reusing Session IDs (aka Session Replay) |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
PLOVER | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Sean Eidemiller | Cigital | External | |
added/updated demonstrative examples | ||||
2008-07-01 | Eric Dalci | Cigital | External | |
updated Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Description, Relationships, Relationship Notes, Taxonomy Mappings | ||||
2009-07-27 | CWE Content Team | MITRE | Internal | |
updated Relationship Notes |