CWE-309 使用口令系统作为基本认证机制

admin 2022年1月5日21:06:53CWE(弱点枚举)评论15 views2247字阅读7分29秒阅读模式

CWE-309 使用口令系统作为基本认证机制

Use of Password System for Primary Authentication

结构: Simple

Abstraction: Base

状态: Draft

被利用可能性: High

基本描述

The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 287 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 287 cwe_View_ID: 699 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 654 cwe_View_ID: 1000

  • cwe_Nature: PeerOf cwe_CWE_ID: 308 cwe_View_ID: 1000

适用平台

Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围 影响 注释
Access Control ['Bypass Protection Mechanism', 'Gain Privileges or Assume Identity'] A password authentication mechanism error will almost always result in attackers being authorized as valid users.

可能的缓解方案

Architecture and Design

策略:
In order to protect password systems from compromise, the following should be noted:

Architecture and Design

策略:

Use a zero-knowledge password protocol, such as SRP.

Architecture and Design

策略:

Ensure that passwords are stored safely and are not reversible.

Architecture and Design

策略:

Implement password aging functionality that requires passwords be changed after a certain point.

Architecture and Design

策略:

Use a mechanism for determining the strength of a password and notify the user of weak password use.

Architecture and Design

策略:

Inform the user of why password protections are in place, how they work to protect data integrity, and why it is important to heed their warnings.

示例代码

In both of these examples, a user is logged in if their given password matches a stored password:

bad C

unsigned char check_passwd(char plaintext) {

ctext = simple_digest("sha1",plaintext,strlen(plaintext), ... );
//Login if hash matches stored hash

if (equal(ctext, secret_password())) {

login_user();

}

}

bad Java

String plainText = new String(plainTextIn);
MessageDigest encer = MessageDigest.getInstance("SHA");
encer.update(plainTextIn);
byte[] digest = password.digest();
//Login if hash matches stored hash

if (equal(digest,secret_password())) {

login_user();

}

This code fails to incorporate more than one method of authentication. If an attacker can steal or guess a user's password, they are given full access to their account. Note this code also exhibits CWE-328 (Reversible One-Way Hash) and CWE-759 (Use of a One-Way Hash without a Salt).

分类映射

映射的分类名 ImNode ID Fit Mapped Node Name
CLASP Using password systems
OWASP Top Ten 2004 A3 CWE More Specific Broken Authentication and Session Management

文章来源于互联网:scap中文网

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年1月5日21:06:53
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  CWE-309 使用口令系统作为基本认证机制 http://cn-sec.com/archives/612782.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: