CWE Glossary

CWE is a trademark of the MITRE Corporation.

Stay in touch

Application security insights and invitations to exclusive events in your inbox


Your data will stay confidential Private and Confidential

Missing Authentication for Critical Function [CWE-306]

This weakness describes Missing Authentication for Critical Function.

Created: June 11, 2018

Table of Content

  1. Description
  2. Potential impact
  3. Attack patterns
  4. Affected software
  5. Mitigations
  6. References

1. Description

This weakness describes a case where software does not perform validation of user identity before allowing access to any privileged application functionality.

This vulnerability is often introduced during architecture and design phase of application development process.

A real-world example of such issue is a critical vulnerability in web interface of McAfee Advanced Threat Defense (CVE-2017-4052). The vulnerability allows a remote unauthenticated attacker to send specially crafted HTTP request to the affected application and change configuration settings or gain administrative access.

2. Potential impact

Depending on exposed functionality and application capabilities the impact of this vulnerability can vary from information disclosure to complete application compromise.

3. Attack patterns

The following CAPEC patterns are related to this weakness:

4. Affected software

Missing authentication for critical function is a language independent issue that can appear in any multiuser environment.

5. Mitigations

As with most authentication related issues it is hard to provide universal recommendations on how to fix this vulnerability.

Developing a fix would require understanding of the current application security model and implemented access controls.

Three basic rules however can help you eliminate potential improper authorization issues:

  1. Identify all privileged assets within your application (web pages that display sensitive data, website sections that contain privileged/administrative functionality, etc.)
  2. Identify user roles within the application and their access permissions
  3. Always check if the user should have privileges to access the asset

6. References

  1. CWE-306: Missing Authentication for Critical Function [cwe.mitre.org]

Copyright Disclaimer: Any above-mentioned content can be copied and used for non-commercial purposes only if proper credit to High-Tech Bridge is given.

↑ Back to Top
High-Tech Bridge on Facebook High-Tech Bridge on Twitter High-Tech Bridge on LinkedIn High-Tech Bridge RSS Feeds Send by Email
Share
Let's Talk