CWE-287: Improper Authentication

Causes

• The following code intends to ensure that the user is already logged in. If not, the code performs authentication with the user-provided username and password. If successful, it sets the loggedin and user cookies to "remember" that the user has already logged in. Finally, the code performs administrator tasks if the logged-in user has the "Administrator" username, as recorded in the user cookie. Unfortunately, this code can be bypassed. The attacker can set the cookies independently so that the code does not check the username and password. The attacker could do this with an HTTP request containing headers such as:,By setting the loggedin cookie to "true", the attacker bypasses the entire authentication check. By using the "Administrator" value in the user cookie, the attacker also gains privileges to administer the software.
• In January 2009, an attacker was able to gain administrator access to a Twitter server because the server did not restrict the number of login attempts [REF-236]. The attacker targeted a member of Twitter's support team and was able to successfully guess the member's password using a brute force attack by guessing a large number of common words. After gaining access as the member of the support staff, the attacker used the administrator panel to gain access to 33 accounts that belonged to celebrities and politicians. Ultimately, fake Twitter messages were sent that appeared to come from the compromised accounts.
• In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications. Multiple vendors did not use any authentication or used client-side authentication for critical functionality in their OT products.

Remediation

• Architecture and Design: Use an authentication framework or library such as the OWASP ESAPI Authentication feature.

Detection

• Automated Static Analysis: [object Object]
• Manual Static Analysis: [object Object]
• Manual Static Analysis - Binary or Bytecode: [object Object]
• Dynamic Analysis with Automated Results Interpretation: [object Object]
• Dynamic Analysis with Manual Results Interpretation: [object Object]
• Manual Static Analysis - Source Code: [object Object]
• Automated Static Analysis - Source Code: [object Object]
• Architecture or Design Review: [object Object]

Related CWEs

• CWE-1390: Weak Authentication
• CWE-284: Improper Access Control
• CWE-284: Improper Access Control
• CWE-290: Authentication Bypass by Spoofing
• CWE-294: Authentication Bypass by Capture-replay
• CWE-295: Improper Certificate Validation
• CWE-295: Improper Certificate Validation
• CWE-306: Missing Authentication for Critical Function
• CWE-306: Missing Authentication for Critical Function
• CWE-307: Improper Restriction of Excessive Authentication Attempts
• CWE-521: Weak Password Requirements
• CWE-522: Insufficiently Protected Credentials

Related CVEs

Related CVE mappings appear after CVE records are cross-indexed.

ATT&CK Relevance

ATT&CK relevance is shown only when reviewed or responsibly inferred.