1. Home
  2. CWE Database
  3. CWE-302
Base · Medium

CWE-302: Authentication Bypass by Assumed-Immutable Data

The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.

CWE-302 · Base Level ·9 CVEs ·1 Mitigations

Description

The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.

Potential Impact

Access Control

Bypass Protection Mechanism

Demonstrative Examples

In the following example, an "authenticated" cookie is used to determine whether or not a user should be granted access to a system.
Bad
boolean authenticated = new Boolean(getCookieValue("authenticated")).booleanValue();if (authenticated) {...}
Modifying the value of a cookie on the client-side is trivial, but many developers assume that cookies are essentially immutable.

Mitigations & Prevention

Architecture and DesignOperationImplementation

Implement proper protection for immutable data (e.g. environment variable, hidden form fields, etc.)

Real-World CVE Examples

CVE IDDescription
CVE-2002-0367DebPloit
CVE-2004-0261Web auth
CVE-2002-1730Authentication bypass by setting certain cookies to "true".
CVE-2002-1734Authentication bypass by setting certain cookies to "true".
CVE-2002-2064Admin access by setting a cookie.
CVE-2002-2054Gain privileges by setting cookie.
CVE-2004-1611Product trusts authentication information in cookie.
CVE-2005-1708Authentication bypass by setting admin-testing variable to true.
CVE-2005-1787Bypass auth and gain privileges by setting a variable.

CWE-1390: Weak Authentication

The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does ...

CWE-807: Reliance on Untrusted Inputs in a Security Decision

The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modifie...

Taxonomy Mappings

  • PLOVER: — Authentication Bypass via Assumed-Immutable Data
  • OWASP Top Ten 2004: A1 — Unvalidated Input
  • The CERT Oracle Secure Coding Standard for Java (2011): SEC02-J — Do not base security checks on untrusted sources

Frequently Asked Questions

What is CWE-302?

CWE-302 (Authentication Bypass by Assumed-Immutable Data) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.

How can CWE-302 be exploited?

Attackers can exploit CWE-302 (Authentication Bypass by Assumed-Immutable Data) to bypass protection mechanism. This weakness is typically introduced during the Architecture and Design, Implementation phase of software development.

How do I prevent CWE-302?

Key mitigations include: Implement proper protection for immutable data (e.g. environment variable, hidden form fields, etc.)

What is the severity of CWE-302?

CWE-302 is classified as a Base-level weakness (Medium abstraction). It has been observed in 9 real-world CVEs.