CWE-602: Client-Side Enforcement of Server-Side Security
Official CWE-602 CWE context with Glexia analysis, remediation guidance, related CVEs, and ATT&CK context.
Glexia's Take
CWE-602: Client-Side Enforcement of Server-Side Security
Client-Side Enforcement of Server-Side Security represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Executive Impact
- Access Control,Availability: Bypass Protection Mechanism,DoS: Crash, Exit, or Restart: Client-side validation checks can be easily bypassed, allowing malformed or unexpected input to pass into the application, potentially as trusted data. This may lead to unexpected states, behaviors and possibly a resulting crash.
- Access Control: Bypass Protection Mechanism,Gain Privileges or Assume Identity: Client-side checks for authentication can be easily bypassed, allowing clients to escalate their access levels and perform unintended actions.
Developer Pattern
CWE-602 is the kind of defect developers can usually prevent with explicit validation, safer framework defaults, and tests that exercise hostile input or unsafe state transitions.
Confidence
high confidence from CWE-602, 4.20.
Official CWE Definition
CWE-602: Client-Side Enforcement of Server-Side Security
The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.
When the server relies on protection mechanisms placed on the client side, an attacker can modify the client-side behavior to bypass the protection mechanisms, resulting in potentially unexpected interactions between the client and server. The consequences will vary, depending on what the mechanisms are trying to protect.
Developer And Remediation Guidance
How teams prevent and detect this weakness
Causes
- This example contains client-side code that checks if the user authenticated successfully before sending a command. The server-side code performs the authentication in one step, and executes the command in a separate step. CLIENT-SIDE (client.pl),SERVER-SIDE (server.pl):,The server accepts 2 commands, "AUTH" which authenticates the user, and "CHANGE-ADDRESS" which updates the address field for the username. The client performs the authentication and only sends a CHANGE-ADDRESS for that user if the authentication succeeds. Because the client has already performed the authentication, the server assumes that the username in the CHANGE-ADDRESS is the same as the authenticated user. An attacker could modify the client by removing the code that sends the "AUTH" command and simply executing the CHANGE-ADDRESS.
- In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications. Multiple vendors used client-side authentication in their OT products.
Remediation
- Architecture and Design: [object Object]
- Architecture and Design: If some degree of trust is required between the two entities, then use integrity checking and strong authentication to ensure that the inputs are coming from a trusted source. Design the product so that this trust is managed in a centralized fashion, especially if there are complex or numerous communication channels, in order to reduce the risks that the implementer will mistakenly omit a check in a single code path.
Detection
- Fuzzing: Use dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.
- Manual Analysis: Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.
Mappings
Related CVEs, CWEs, and ATT&CK context
Related CWEs
- CWE-565: Reliance on Cookies without Validation and Integrity Checking
- CWE-290: Authentication Bypass by Spoofing
- CWE-300: Channel Accessible by Non-Endpoint
- CWE-471: Modification of Assumed-Immutable Data (MAID)
- CWE-693: Protection Mechanism Failure
- CWE-603: Use of Client-Side Authentication
- CWE-836: Use of Password Hash Instead of Password for Authentication
ATT&CK Relevance
ATT&CK relevance is shown only when reviewed or responsibly inferred.