Insufficiently Protected Credentials
Weakness ID: 522 (Weakness Base)Status: Incomplete
+ Description

Description Summary

This weakness occurs when the application transmits or stores authentication credentials and uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Potential Mitigations

Use an appropriate security mechanism to protect the credentials.

Make appropriate use of cryptography to protect the credentials.

Use industry standards to protect the credentials (e.g. LDAP, keystore, etc.).

+ Other Notes

Attackers are potentially able to bypass authentication mechanisms, hijack a victim's account, and obtain the role and respective access level of the accounts.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory255Credentials Management
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class668Exposure of Resource to Wrong Sphere
Research Concepts (primary)1000
ChildOfCategoryCategory718OWASP Top Ten 2007 Category A7 - Broken Authentication and Session Management
Weaknesses in OWASP Top Ten (2007) (primary)629
ChildOfCategoryCategory724OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management
Weaknesses in OWASP Top Ten (2004) (primary)711
ParentOfWeakness VariantWeakness Variant256Plaintext Storage of a Password
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base257Storing Passwords in a Recoverable Format
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant260Password in Configuration File
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant523Unprotected Transport of Credentials
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant549Missing Password Field Masking
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant555J2EE Misconfiguration: Plaintext Password in Configuration File
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant620Unverified Password Change
Development Concepts (primary)699
Research Concepts (primary)1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
Anonymous Tool Vendor (under NDA)
OWASP Top Ten 2007A7CWE More SpecificBroken Authentication and Session Management
OWASP Top Ten 2004A3CWE More SpecificBroken Authentication and Session Management
+ Related Attack Patterns
CAPEC-IDAttack Pattern Name
(CAPEC Version: 1.4)
50Password Recovery Exploitation
102Session Sidejacking
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
Anonymous Tool Vendor (under NDA)Externally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Potential Mitigations, Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Other Notes, Taxonomy Mappings
2009-05-27CWE Content TeamMITREInternal
updated Related Attack Patterns
Back to top