[Forgot Password]
Login  Register Subscribe

25354

 
 

132811

 
 

147852

 
 

909

 
 

118110

 
 

156

Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Authentication Bypass by Spoofing

ID: 290Date: (C)2012-05-14   (M)2020-06-12
Type: weaknessStatus: INCOMPLETE
Abstraction Type: Base





Description

This attack-focused weakness is caused by improperly implemented authentication schemes that are subject to spoofing attacks.

Applicable Platforms
None

Time Of Introduction

  • Architecture and Design
  • Implementation

Related Attack Patterns

Common Consequences

ScopeTechnical ImpactNotes
Access_Control
 
Bypass protection mechanism
Gain privileges / assume identity
 
This weakness can allow an attacker to access resources which are not otherwise accessible without proper authentication.
 

Detection Methods
None

Potential Mitigations
None

Relationships
This can be resultant from insufficient verification.

Related CWETypeViewChain
CWE-290 ChildOf CWE-902 Category CWE-888  

Demonstrative Examples   (Details)

  1. Both of these examples check if a request is from a trusted address before responding to the request. (Demonstrative Example Id DX-99)
  2. Here, an authentication mechanism implemented in Java relies on an IP address for source validation. If an attacker is able to spoof the IP, however, he may be able to bypass such an authentication mechanism.
  3. The following code samples use a DNS lookup in order to decide whether or not an inbound request is from a trusted host. If an attacker can poison the DNS cache, they can gain trusted status. (Demonstrative Example Id DX-93)

Observed Examples

  1. CVE-2009-1048 : VOIP product allows authentication bypass using 127.0.0.1 in the Host header.

For more examples, refer to CVE relations in the bottom box.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

TaxynomyIdNameFit
PLOVER  Authentication bypass by spoofing
 
 

References:

  1. Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 3, "Spoofing and Identification", Page 72.'. Published on 2006.
CVE    38
CVE-2018-7160
CVE-2019-14886
CVE-2013-5661
CVE-2020-11015
...

© SecPod Technologies