CWE-603 使用客户端的认证机制

admin 2021年12月4日16:17:57评论53 views字数 961阅读3分12秒阅读模式

CWE-603 使用客户端的认证机制

Use of Client-Side Authentication

结构: Simple

Abstraction: Base

状态: Draft

被利用可能性: unkown

基本描述

A client/server product performs authentication within client code but not in server code, allowing server-side authentication to be bypassed via a modified client that omits the authentication check.

扩展描述

Client-side authentication is extremely weak and may be breached easily. Any attacker may read the source code and reverse-engineer the authentication mechanism to access parts of the application which would otherwise be protected.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 602 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 287 cwe_View_ID: 1000

  • cwe_Nature: ChildOf cwe_CWE_ID: 287 cwe_View_ID: 699 cwe_Ordinal: Primary

  • cwe_Nature: PeerOf cwe_CWE_ID: 300 cwe_View_ID: 1000

常见的影响

范围 影响 注释
Access Control ['Bypass Protection Mechanism', 'Gain Privileges or Assume Identity']

可能的缓解方案

Architecture and Design

策略:

Do not rely on client side data. Always perform server side authentication.

分析过的案例

标识 说明 链接

Notes

引用

文章来源于互联网:scap中文网

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2021年12月4日16:17:57
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   CWE-603 使用客户端的认证机制http://cn-sec.com/archives/613450.html

发表评论

匿名网友 填写信息