[Forgot Password]
Login  Register Subscribe

25354

 
 

132805

 
 

138622

 
 

909

 
 

112583

 
 

156

Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Insufficiently Protected Credentials

ID: 522Date: (C)2012-05-14   (M)2020-01-24
Type: weaknessStatus: INCOMPLETE
Abstraction Type: Base





Description

This weakness occurs when the application transmits or stores authentication credentials and uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

Applicable Platforms
None

Time Of Introduction

  • Architecture and Design
  • Implementation

Related Attack Patterns

Common Consequences

ScopeTechnical ImpactNotes
Access_Control
 
Gain privileges / assume identity
 
An attacker could gain access to user accounts and access sensitive data used by the user accounts.
 

Detection Methods
None

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
Architecture and Design
 
 Use an appropriate security mechanism to protect the credentials.
 
  
Architecture and Design
 
 Make appropriate use of cryptography to protect the credentials.
 
  
Implementation
 
 Use industry standards to protect the credentials (e.g. LDAP, keystore, etc.).
 
  

Relationships

Related CWETypeViewChain
CWE-522 ChildOf CWE-895 Category CWE-888  

Demonstrative Examples   (Details)

  1. Both of these examples verify a password by comparing it to a stored compressed version. (Demonstrative Example Id DX-59)
  2. The following code reads a password from a properties file and uses the password to connect to a database. (Demonstrative Example Id DX-57)
  3. The following code reads a password from the registry and uses the password to create a new network credential. (Demonstrative Example Id DX-58)
  4. The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but they are stored in plaintext. (Demonstrative Example Id DX-43)
  5. This code changes a user's password. (Demonstrative Example Id DX-56)

Observed Examples

  1. CVE-2007-0681 : Web app allows remote attackers to change the passwords of arbitrary users without providing the original password, and possibly perform other unauthorized actions.
  2. CVE-2000-0944 : Web application password change utility doesn't check the original password.
  3. CVE-2005-3435 : product authentication succeeds if user-provided MD5 hash matches the hash in its database; this can be subjected to replay attacks.
  4. CVE-2005-0408 : chain: product generates predictable MD5 hashes using a constant value combined with username, allowing authentication bypass.

For more examples, refer to CVE relations in the bottom box.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

TaxynomyIdNameFit
Anonymous Tool Vendor (under NDA)  
 
 
OWASP Top Ten 2007 A7
 
Broken Authentication and Session Management
 
CWE_More_Specific
 
OWASP Top Ten 2004 A3
 
Broken Authentication and Session Management
 
CWE_More_Specific
 

References:

  1. Michael Howard David LeBlanc John Viega .24 Deadly Sins of Software Security. McGraw-Hill. Section:'"Sin 19: Use of Weak Password-Based Systems." Page 279'. Published on 2010.
CVE    236
CVE-2018-1139
CVE-2018-4190
CVE-2019-15235
CVE-2019-16566
...

© SecPod Technologies