Use of Client-Side Authentication
Weakness ID: 603 (Weakness Base)Status: Draft
+ Description

Description Summary

A client/server product performs authentication within client code but not in server code, allowing server-side authentication to be bypassed via a modified client that omits the authentication check.

Extended Description

Client-side authentication is extremely weak and may be breached easily. Any attacker may read the source code and reverse-engineer the authentication mechanism to access parts of the application which would otherwise be protected.

+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Observed Examples
CVE-2006-0230Client-side check for a password allows access to a server using crafted XML requests from a modified client.
+ Potential Mitigations

Do not rely on client side data. Always perform server side authentication.

+ Other Notes

Note that there is a close relationship between this weakness and CWE-656 (Reliance on Security through Obscurity). If developers do not believe that a user can reverse engineer a client, then they are more likely to choose client-side authentication in the belief that it is safe.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class287Improper Authentication
Development Concepts (primary)699
Research Concepts1000
ChildOfWeakness BaseWeakness Base602Client-Side Enforcement of Server-Side Security
Research Concepts (primary)1000
PeerOfWeakness ClassWeakness Class300Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
Research Concepts1000
PeerOfWeakness ClassWeakness Class592Authentication Bypass Issues
Research Concepts1000
+ Content History
Submission DateSubmitterOrganizationSource
Anonymous Tool Vendor (under NDA)Externally Mined
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Potential Mitigations, Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Description, Relationships, Observed Example, Other Notes, Taxonomy Mappings
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Client-Side Authentication