CWE-306: Missing Authentication for Critical Function

Causes

• In the following Java example the method createBankAccount is used to create a BankAccount object for a bank management application. However, there is no authentication mechanism to ensure that the user creating this bank account object has the authority to create new bank accounts. Some authentication mechanisms should be used to verify that the user has the authority to create bank account objects.,The following Java code includes a boolean variable and method for authenticating a user. If the user has not been authenticated then the createBankAccount will not create the bank account object.
• In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications. Multiple vendors did not use any authentication for critical functionality in their OT products.
• In 2021, a web site operated by PeopleGIS stored data of US municipalities in Amazon Web Service (AWS) Simple Storage Service (S3) buckets. While it was not publicly disclosed how the data was protected after discovery, multiple options could have been considered.

Remediation

• Architecture and Design: [object Object]
• Architecture and Design: For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
• Implementation,System Configuration,Operation: When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to require strong authentication for users who should be allowed to access the data [REF-1297] [REF-1298] [REF-1302].

Detection

• Manual Analysis: [object Object]
• Automated Static Analysis: [object Object]
• Manual Static Analysis - Binary or Bytecode: [object Object]
• Dynamic Analysis with Automated Results Interpretation: [object Object]
• Dynamic Analysis with Manual Results Interpretation: [object Object]
• Manual Static Analysis - Source Code: [object Object]
• Automated Static Analysis - Source Code: [object Object]
• Architecture or Design Review: [object Object]

Related CWEs

• CWE-288: Authentication Bypass Using an Alternate Path or Channel
• CWE-287: Improper Authentication
• CWE-287: Improper Authentication
• CWE-322: Key Exchange without Entity Authentication

Related CVEs

Related CVE mappings appear after CVE records are cross-indexed.

ATT&CK Relevance

ATT&CK relevance is shown only when reviewed or responsibly inferred.