CWE-309 使用口令系统作为基本认证机制

admin 2022年1月5日21:06:53评论54 views字数 2247阅读7分29秒阅读模式

CWE-309 使用口令系统作为基本认证机制

Use of Password System for Primary Authentication

结构: Simple

Abstraction: Base

状态: Draft

被利用可能性: High

基本描述

The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 287 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 287 cwe_View_ID: 699 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 654 cwe_View_ID: 1000

  • cwe_Nature: PeerOf cwe_CWE_ID: 308 cwe_View_ID: 1000

适用平台

Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围 影响 注释
Access Control ['Bypass Protection Mechanism', 'Gain Privileges or Assume Identity'] A password authentication mechanism error will almost always result in attackers being authorized as valid users.

可能的缓解方案

Architecture and Design

策略:
In order to protect password systems from compromise, the following should be noted:

Architecture and Design

策略:

Use a zero-knowledge password protocol, such as SRP.

Architecture and Design

策略:

Ensure that passwords are stored safely and are not reversible.

Architecture and Design

策略:

Implement password aging functionality that requires passwords be changed after a certain point.

Architecture and Design

策略:

Use a mechanism for determining the strength of a password and notify the user of weak password use.

Architecture and Design

策略:

Inform the user of why password protections are in place, how they work to protect data integrity, and why it is important to heed their warnings.

示例代码

In both of these examples, a user is logged in if their given password matches a stored password:

bad C

unsigned char check_passwd(char plaintext) {

ctext = simple_digest("sha1",plaintext,strlen(plaintext), ... );
//Login if hash matches stored hash

if (equal(ctext, secret_password())) {

login_user();

}

}

bad Java

String plainText = new String(plainTextIn);
MessageDigest encer = MessageDigest.getInstance("SHA");
encer.update(plainTextIn);
byte[] digest = password.digest();
//Login if hash matches stored hash

if (equal(digest,secret_password())) {

login_user();

}

This code fails to incorporate more than one method of authentication. If an attacker can steal or guess a user's password, they are given full access to their account. Note this code also exhibits CWE-328 (Reversible One-Way Hash) and CWE-759 (Use of a One-Way Hash without a Salt).

分类映射

映射的分类名 ImNode ID Fit Mapped Node Name
CLASP Using password systems
OWASP Top Ten 2004 A3 CWE More Specific Broken Authentication and Session Management

文章来源于互联网:scap中文网

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年1月5日21:06:53
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   CWE-309 使用口令系统作为基本认证机制http://cn-sec.com/archives/612782.html

发表评论

匿名网友 填写信息