Authentication Bypass by Assumed-Immutable Data
Weakness ID: 302 (Weakness Variant)Status: Incomplete
+ Description

Description Summary

The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.
+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms



+ Demonstrative Examples

Example 1

In the following example, an "authenticated" cookie is used to determine whether or not a user should be granted access to a system. Of course, modifying the value of a cookie on the client-side is trivial, but many developers assume that cookies are essentially immutable.

(Bad Code)
Example Language: Java 
boolean authenticated = new Boolean(getCookieValue("authenticated")).booleanValue();
if (authenticated) {
+ Observed Examples
CVE-2004-0261Web auth
CVE-2002-1730Authentication bypass by setting certain cookies to "true".
CVE-2002-1734Authentication bypass by setting certain cookies to "true".
CVE-2002-2064SecurityDatabase\User\Admin access by setting a cookie.
CVE-2002-2054Gain privileges by setting cookie.
CVE-2004-1611Product trusts authentication information in cookie.
CVE-2005-1708Authentication bypass by setting admin-testing variable to true.
CVE-2005-1787Bypass auth and gain privileges by setting a variable.
+ Potential Mitigations

Phases: Architecture and Design; Operation; Implementation

Implement proper protection for immutable data (e.g. environment variable, hidden form fields, etc.)

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class592Authentication Bypass Issues
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfCategoryCategory724OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management
Weaknesses in OWASP Top Ten (2004) (primary)711
ChildOfWeakness BaseWeakness Base807Reliance on Untrusted Inputs in a Security Decision
Research Concepts1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERAuthentication Bypass via Assumed-Immutable Data
OWASP Top Ten 2004A1CWE More SpecificUnvalidated Input
+ Related Attack Patterns
CAPEC-IDAttack Pattern Name
(CAPEC Version: 1.4)
10Buffer Overflow via Environment Variables
13Subverting Environment Variable Values
21Exploitation of Session Variables, Resource IDs and other Trusted Credentials
31Accessing/Intercepting/Modifying HTTP Cookies
39Manipulating Opaque Client-based Data Tokens
45Buffer Overflow via Symbolic Links
77Manipulating User-Controlled Variables
+ Content History
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modification DateModifierOrganizationSource
2008-07-01Sean EidemillerCigitalExternal
added/updated demonstrative examples
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Taxonomy Mappings
2008-10-14CWE Content TeamMITREInternal
updated Demonstrative Examples, Description
2009-03-10CWE Content TeamMITREInternal
updated Relationships