CWE-302

Authentication Bypass by Assumed-Immutable Data

Base

Incomplete

Description

The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.

Parent Weaknesses (ChildOf)

CWE-1390: Weak Authentication...

CWE-807: Reliance on Untrusted Inputs i...

Common Consequences

Scope

Access Control

Impact

Bypass Protection Mechanism

Potential Mitigations

Architecture and Design

Operation

Implementation

Implement proper protection for immutable data (e.g. environment variable, hidden form fields, etc.)

CVE-2002-0367

DebPloit

CVE-2004-0261

Web auth

CVE-2002-1730

Authentication bypass by setting certain cookies to "true".

CVE-2002-1734

Authentication bypass by setting certain cookies to "true".

CVE-2002-2064

Admin access by setting a cookie.

CVE-2002-2054

Gain privileges by setting cookie.

CVE-2004-1611

Product trusts authentication information in cookie.

CVE-2005-1708

Authentication bypass by setting admin-testing variable to true.

CVE-2005-1787

Bypass auth and gain privileges by setting a variable.

Applicable Platforms

Not Language-Specific

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now