Description
A client/server product performs authentication within client code but not in server code, allowing server-side authentication to be bypassed via a modified client that omits the authentication check.
Client-side authentication is extremely weak and may be breached easily. Any attacker may read the source code and reverse-engineer the authentication mechanism to access parts of the application which would otherwise be protected.
Potential Impact
Access Control
Bypass Protection Mechanism, Gain Privileges or Assume Identity
Demonstrative Examples
Mitigations & Prevention
Do not rely on client side data. Always perform server side authentication.
Real-World CVE Examples
| CVE ID | Description |
|---|---|
| CVE-2022-33139 | SCADA system only uses client-side authentication, allowing adversaries to impersonate other users. |
| CVE-2006-0230 | Client-side check for a password allows access to a server using crafted XML requests from a modified client. |
Related Weaknesses
Frequently Asked Questions
What is CWE-603?
CWE-603 (Use of Client-Side Authentication) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. A client/server product performs authentication within client code but not in server code, allowing server-side authentication to be bypassed via a modified client that omits the authentication check.
How can CWE-603 be exploited?
Attackers can exploit CWE-603 (Use of Client-Side Authentication) to bypass protection mechanism, gain privileges or assume identity. This weakness is typically introduced during the Architecture and Design, Implementation phase of software development.
How do I prevent CWE-603?
Key mitigations include: Do not rely on client side data. Always perform server side authentication.
What is the severity of CWE-603?
CWE-603 is classified as a Base-level weakness (Medium abstraction). It has been observed in 2 real-world CVEs.