1. Home
  2. CWE Database
  3. CWE-304
Base · Medium

CWE-304: Missing Critical Step in Authentication

The product implements an authentication technique, but it skips a step that weakens the technique.

CWE-304 · Base Level ·2 CVEs

Description

The product implements an authentication technique, but it skips a step that weakens the technique.

Authentication techniques should follow the algorithms that define them exactly, otherwise authentication can be bypassed or more easily subjected to brute force attacks.

Potential Impact

Access Control, Integrity, Confidentiality

Bypass Protection Mechanism, Gain Privileges or Assume Identity, Read Application Data, Execute Unauthorized Code or Commands

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE IDDescription
CVE-2004-2163Shared secret not verified in a RADIUS response packet, allowing authentication bypass by spoofing server replies.
CVE-2005-3327Chain: Authentication bypass by skipping the first startup step as required by the protocol.

CWE-303: Incorrect Implementation of Authentication Algorithm

The requirements for the product dictate the use of an established authentication algorithm, but the implementation of t...

CWE-573: Improper Following of Specification by Caller

The product does not follow or incorrectly follows the specifications as required by the implementation language, enviro...

Taxonomy Mappings

  • PLOVER: — Missing Critical Step in Authentication

Frequently Asked Questions

What is CWE-304?

CWE-304 (Missing Critical Step in Authentication) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product implements an authentication technique, but it skips a step that weakens the technique.

How can CWE-304 be exploited?

Attackers can exploit CWE-304 (Missing Critical Step in Authentication) to bypass protection mechanism, gain privileges or assume identity, read application data, execute unauthorized code or commands. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-304?

Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.

What is the severity of CWE-304?

CWE-304 is classified as a Base-level weakness (Medium abstraction). It has been observed in 2 real-world CVEs.