Insufficiently Protected Credentials |
Weakness ID: 522 (Weakness Base) | Status: Incomplete |
Description Summary
This weakness occurs when the application transmits or stores authentication credentials and uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Use an appropriate security mechanism to protect the credentials. |
Make appropriate use of cryptography to protect the credentials. |
Use industry standards to protect the credentials (e.g. LDAP, keystore, etc.). |
Attackers are potentially able to bypass authentication mechanisms, hijack a victim's account, and obtain the role and respective access level of the accounts. |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Category | 255 | Credentials Management | Development Concepts (primary)699 |
ChildOf | Weakness Class | 668 | Exposure of Resource to Wrong Sphere | Research Concepts (primary)1000 |
ChildOf | Category | 718 | OWASP Top Ten 2007 Category A7 - Broken Authentication and Session Management | Weaknesses in OWASP Top Ten (2007) (primary)629 |
ChildOf | Category | 724 | OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management | Weaknesses in OWASP Top Ten (2004) (primary)711 |
ParentOf | Weakness Variant | 256 | Plaintext Storage of a Password | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Base | 257 | Storing Passwords in a Recoverable Format | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 260 | Password in Configuration File | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 523 | Unprotected Transport of Credentials | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 549 | Missing Password Field Masking | Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 555 | J2EE Misconfiguration: Plaintext Password in Configuration File | Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 620 | Unverified Password Change | Development Concepts (primary)699 Research Concepts (primary)1000 |
Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
---|---|---|---|
Anonymous Tool Vendor (under NDA) | |||
OWASP Top Ten 2007 | A7 | CWE More Specific | Broken Authentication and Session Management |
OWASP Top Ten 2004 | A3 | CWE More Specific | Broken Authentication and Session Management |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
Anonymous Tool Vendor (under NDA) | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated Potential Mitigations, Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Relationships, Other Notes, Taxonomy Mappings | ||||
2009-05-27 | CWE Content Team | MITRE | Internal | |
updated Related Attack Patterns |