Insufficiently Protected CredentialsID: 522 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: INCOMPLETE |
Abstraction Type: Base |
Description
This weakness occurs when the application transmits or stores
authentication credentials and uses an insecure method that is susceptible to
unauthorized interception and/or retrieval.
Applicable PlatformsNone
Time Of Introduction
- Architecture and Design
- Implementation
Related Attack Patterns
Common Consequences
Scope | Technical Impact | Notes |
---|
Access_Control | Gain privileges / assume
identity | An attacker could gain access to user accounts and access sensitive
data used by the user accounts. |
Detection MethodsNone
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
Architecture and Design | | Use an appropriate security mechanism to protect the
credentials. | | |
Architecture and Design | | Make appropriate use of cryptography to protect the
credentials. | | |
Implementation | | Use industry standards to protect the credentials (e.g. LDAP,
keystore, etc.). | | |
Relationships
Related CWE | Type | View | Chain |
---|
CWE-522 ChildOf CWE-895 | Category | CWE-888 | |
Demonstrative Examples (Details)
- Both of these examples verify a password by comparing it to a stored
compressed version. (Demonstrative Example Id DX-59)
- The following code reads a password from a properties file and uses
the password to connect to a database. (Demonstrative Example Id DX-57)
- The following code reads a password from the registry and uses the
password to create a new network credential. (Demonstrative Example Id DX-58)
- The following examples show a portion of properties and
configuration files for Java and ASP.NET applications. The files include
username and password information but they are stored in
plaintext. (Demonstrative Example Id DX-43)
- This code changes a user's password. (Demonstrative Example Id DX-56)
Observed Examples
- CVE-2007-0681 : Web app allows remote attackers to change the passwords of arbitrary users without providing the original password, and possibly perform other unauthorized actions.
- CVE-2000-0944 : Web application password change utility doesn't check the original password.
- CVE-2005-3435 : product authentication succeeds if user-provided MD5 hash matches the hash in its database; this can be subjected to replay attacks.
- CVE-2005-0408 : chain: product generates predictable MD5 hashes using a constant value combined with username, allowing authentication bypass.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
Taxynomy | Id | Name | Fit |
---|
Anonymous Tool Vendor (under NDA) | | | |
OWASP Top Ten 2007 | A7 | Broken Authentication and Session
Management | CWE_More_Specific |
OWASP Top Ten 2004 | A3 | Broken Authentication and Session
Management | CWE_More_Specific |
References:
- Michael Howard David LeBlanc John Viega .24 Deadly Sins of Software Security. McGraw-Hill. Section:'"Sin 19: Use of Weak Password-Based Systems." Page
279'. Published on 2010.