1. Home
  2. CWE Database
  3. CWE-294
Base · Medium

CWE-294: Authentication Bypass by Capture-replay

A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the s...

CWE-294 · Base Level ·2 CVEs ·2 Mitigations

Description

A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).

Capture-replay attacks are common and can be difficult to defeat without cryptography. They are a subset of network injection attacks that rely on observing previously-sent valid commands, then changing them slightly if necessary and resending the same commands to the server.

Potential Impact

Access Control

Gain Privileges or Assume Identity

Mitigations & Prevention

Architecture and Design

Utilize some sequence or time stamping functionality along with a checksum which takes this into account in order to ensure that messages can be parsed only once.

Architecture and Design

Since any attacker who can listen to traffic can see sequence numbers, it is necessary to sign messages with some kind of cryptography to ensure that sequence numbers are not simply doctored along with content.

Real-World CVE Examples

CVE IDDescription
CVE-2005-3435product authentication succeeds if user-provided MD5 hash matches the hash in its database; this can be subjected to replay attacks.
CVE-2007-4961Chain: cleartext transmission of the MD5 hash of password (CWE-319) enables attacks against a server that is susceptible to replay (CWE-294).

CWE-1390: Weak Authentication

The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does ...

CWE-287: Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is cor...

Taxonomy Mappings

  • PLOVER: — Authentication bypass by replay
  • CLASP: — Capture-replay

Frequently Asked Questions

What is CWE-294?

CWE-294 (Authentication Bypass by Capture-replay) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the s...

How can CWE-294 be exploited?

Attackers can exploit CWE-294 (Authentication Bypass by Capture-replay) to gain privileges or assume identity. This weakness is typically introduced during the Architecture and Design phase of software development.

How do I prevent CWE-294?

Key mitigations include: Utilize some sequence or time stamping functionality along with a checksum which takes this into account in order to ensure that messages can be parsed only once.

What is the severity of CWE-294?

CWE-294 is classified as a Base-level weakness (Medium abstraction). It has been observed in 2 real-world CVEs.