CWE Glossary

CWE is a trademark of the MITRE Corporation.

Stay in touch

Application security insights and invitations to exclusive events in your inbox


Your data will stay confidential Private and Confidential

Improper Authentication [CWE-287]

This weakness describes improper mechanisms of user's identity verification.

Created: September 11, 2012
Latest Update: August 6, 2015

Table of Content

  1. Description
  2. Potential impact
  3. Attack patterns
  4. Affected software
  5. Severity and CVSS Scoring
  6. Mitigations
  7. References
  8. Latest Related Security Advisories

1. Description

Authentication is a part of the AAA (Authentication, Authorization, Accounting) security model. It is a process by which the system or application validates supplied credentials and assigns appropriate privileges.

This weakness occurs when application improperly verifies identity of a user. If software incorrectly validates user logon information or allows using different techniques of malicious credentials gathering (e.g. brute force, spoofing), an attacker can gain certain privileges within the application or disclose sensitive information.

For example, a software uses the "group" parameter passed in the HTTP GET request to assign certain privileges within the application. If the parameter is equal to "user" the application allows viewing the information, if it is equal to "admin", then it is possible to edit information on the page:
http://[host]/index.php?page=1&group=user
http://[host]/index.php?page=1&group=admin

If an attacker changes the value of the "group" parameter to "admin", he will be able to modify the page.

The above example is just a simple demonstration of how the weakness works. In real-world scenarios, improper authentication can result from different sources, e.g. software misconfiguration, or can be introduced by another vulnerability, such as SQL injection, cross-site scripting, path traversal, local or remote file inclusion, etc.

2. Potential impact

The attacker might be able to gain unauthorized access to the application and otherwise restricted areas and perform certain actions, e.g. disclose sensitive information, alter application, or even execute arbitrary code.

An attacker can use a variety of vectors to exploit this weakness, including brute-force, session fixation, and Man-in-the-Middle (MitM) attacks.

3. Attack patterns

There are following CAPEC patterns for this weakness:


This weakness is described by WASC under two attack types:

4. Affected software

Multiuser systems and applications that use different privilege levels are potentially vulnerable to this weakness.

5. Severity and CVSS Scoring

This weakness should be scored depending on the maximum possible impact. Below are several examples of scoring the weakness:

Information disclosure (MitM attack)
4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) - Medium severity.

Control over the application

If a remote attacker can gain complete access to the application, the weakness is usually scored as:
7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) - High severity.

Remote code execution

Improper authentication can also result in fully compromised system, if vulnerable application has enough privileges to execute arbitrary commands. In this case, the weakness should be scored with the maximum CVSS rating:
10 (AV:N/AC:L/Au:N/C:C/I:C/A:C) - Critical severity.


We use CVSSv2 scoring system in our HTB Security Advisories to calculate the risk of the discovered vulnerabilities. Not all of the vulnerabilities are scored in strict accordance to FIRST recommendations. Our CVSSv2 scores are based on our long internal experience in software auditing and penetration testing, taking into consideration a lot of practical nuances and details. Therefore, sometimes they may differ from those ones that are recommended by FIRST.

6. Mitigations

To protect the application from this weakness it is advised to implement strong authentication methods that features anti brute force and session protection mechanisms.

7. References

  1. CWE-287: Improper Authentication [cwe.mitre.org]
  2. CVE-2009-3421 [cve.mitre.org]
  3. Authentication [msdn.microsoft.com]

8. Latest HTB Security Advisories with CWE-287


Copyright Disclaimer: Any above-mentioned content can be copied and used for non-commercial purposes only if proper credit to High-Tech Bridge is given.

↑ Back to Top
High-Tech Bridge on Facebook High-Tech Bridge on Twitter High-Tech Bridge on LinkedIn High-Tech Bridge RSS Feeds Send by Email
Share
Let's Talk