CWE-603 使用客户端的认证机制
Use of Client-Side Authentication
结构: Simple
Abstraction: Base
状态: Draft
被利用可能性: unkown
基本描述
A client/server product performs authentication within client code but not in server code, allowing server-side authentication to be bypassed via a modified client that omits the authentication check.
扩展描述
Client-side authentication is extremely weak and may be breached easily. Any attacker may read the source code and reverse-engineer the authentication mechanism to access parts of the application which would otherwise be protected.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 602 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 287 cwe_View_ID: 1000
-
cwe_Nature: ChildOf cwe_CWE_ID: 287 cwe_View_ID: 699 cwe_Ordinal: Primary
-
cwe_Nature: PeerOf cwe_CWE_ID: 300 cwe_View_ID: 1000
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| Access Control | ['Bypass Protection Mechanism', 'Gain Privileges or Assume Identity'] |
可能的缓解方案
Architecture and Design
策略:
Do not rely on client side data. Always perform server side authentication.
分析过的案例
| 标识 | 说明 | 链接 |
|---|---|---|
Notes
引用
文章来源于互联网:scap中文网
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论