Use of Client-Side Authentication |
Weakness ID: 603 (Weakness Base) | Status: Draft |
Description Summary
A client/server product performs authentication within client code but not in server code, allowing server-side authentication to be bypassed via a modified client that omits the authentication check.
Extended Description
Client-side authentication is extremely weak and may be breached easily. Any attacker may read the source code and reverse-engineer the authentication mechanism to access parts of the application which would otherwise be protected.
Reference | Description |
---|---|
CVE-2006-0230 | Client-side check for a password allows access to a server using crafted XML requests from a modified client. |
Note that there is a close relationship between this weakness and CWE-656 (Reliance on Security through Obscurity). If developers do not believe that a user can reverse engineer a client, then they are more likely to choose client-side authentication in the belief that it is safe. |
Nature | Type | ID | Name | View(s) this relationship pertains to![]() |
---|---|---|---|---|
ChildOf | ![]() | 287 | Improper Authentication | Development Concepts (primary)699 Research Concepts1000 |
ChildOf | ![]() | 602 | Client-Side Enforcement of Server-Side Security | Research Concepts (primary)1000 |
PeerOf | ![]() | 300 | Channel Accessible by Non-Endpoint ('Man-in-the-Middle') | Research Concepts1000 |
PeerOf | ![]() | 592 | Authentication Bypass Issues | Research Concepts1000 |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
Anonymous Tool Vendor (under NDA) | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated Potential Mitigations, Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Description, Relationships, Observed Example, Other Notes, Taxonomy Mappings | ||||
Previous Entry Names | ||||
Change Date | Previous Entry Name | |||
2008-04-11 | Client-Side Authentication | |||