Total Tests:

CWE Glossary

CWE is a trademark of the MITRE Corporation.

Stay in Touch

Get exclusive updates and invitations to our events and webinars:

Your data will stay confidential Private and Confidential

Improper Authentication [CWE-287]

Improper Authentication weakness describes improper mechanisms of user's identity verification.

Improper Authentication [CWE-287]

Created: September 11, 2012
Latest Update: December 15, 2020

Table of Content

  1. Description
  2. Potential impact
  3. Attack patterns
  4. Affected software
  5. Severity and CVSS Scoring
  6. Mitigations
  7. References
  8. Latest Related Security Advisories

Want to have an in-depth understanding of all modern aspects of
Improper Authentication [CWE-287]? Read carefully this article and bookmark it to get back later, we regularly update this page.

1. Description

Authentication is a part of the AAA (Authentication, Authorization, Accounting) security model. It is a process by which the system or application validates supplied credentials and assigns appropriate privileges.

This weakness occurs when application improperly verifies identity of a user. If software incorrectly validates user logon information or allows using different techniques of malicious credentials gathering (e.g. brute force, spoofing), an attacker can gain certain privileges within the application or disclose sensitive information.

For example, a software uses the "group" parameter passed in the HTTP GET request to assign certain privileges within the application. If the parameter is equal to "user" the application allows viewing the information, if it is equal to "admin", then it is possible to edit information on the page:

If an attacker changes the value of the "group" parameter to "admin", he will be able to modify the page.

The above example is just a simple demonstration of how the weakness works. In real-world scenarios, improper authentication can result from different sources, e.g. software misconfiguration, or can be introduced by another vulnerability, such as SQL injection, cross-site scripting, path traversal, local or remote file inclusion, etc.

2. Potential impact

The attacker might be able to gain unauthorized access to the application and otherwise restricted areas and perform certain actions, e.g. disclose sensitive information, alter application, or even execute arbitrary code.

An attacker can use a variety of vectors to exploit this weakness, including brute-force, session fixation, and Man-in-the-Middle (MitM) attacks.

How to Detect Improper Authentication Vulnerabilities
Website Security Test
  • GDPR & PCI DSS Test
  • Website CMS Security Test
  • CSP & HTTP Headers Check
  • WordPress & Drupal Scanning
Try For Free

3. Attack patterns

There are following CAPEC patterns for this weakness:

This weakness is described by WASC under two attack types:

4. Affected software

Multiuser systems and applications that use different privilege levels are potentially vulnerable to this weakness.

5. Severity and CVSS Scoring

This weakness should be scored depending on the maximum possible impact. Below are several examples of scoring the weakness:

Information disclosure (MitM attack)
4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) - Medium severity.

Control over the application

If a remote attacker can gain complete access to the application, the weakness is usually scored as:
7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) - High severity.

Remote code execution

Improper authentication can also result in fully compromised system, if vulnerable application has enough privileges to execute arbitrary commands. In this case, the weakness should be scored with the maximum CVSS rating:
10 (AV:N/AC:L/Au:N/C:C/I:C/A:C) - Critical severity.

We use CVSSv2 scoring system in our HTB Security Advisories to calculate the risk of the discovered vulnerabilities. Not all of the vulnerabilities are scored in strict accordance to FIRST recommendations. Our CVSSv2 scores are based on our long internal experience in software auditing and penetration testing, taking into consideration a lot of practical nuances and details. Therefore, sometimes they may differ from those ones that are recommended by FIRST.

6. Mitigations

To protect the application from this weakness it is advised to implement strong authentication methods that features anti brute force and session protection mechanisms.

7. References

  1. CWE-287: Improper Authentication []
  2. CVE-2009-3421 []
  3. Authentication []

8. Improper Authentication Vulnerabilities, Exploits and Examples

Copyright Disclaimer: Any above-mentioned content can be copied and used for non-commercial purposes only if proper credit to ImmuniWeb is given.

↑ Back to Top
Book a Call Ask a Question
Talk to ImmuniWeb Experts
ImmuniWeb AI Platform
Have a technical question?

Our security experts will answer within
one business day. No obligations.

Have a sales question?
Tel: +41 22 560 6800 (Switzerland)
Tel: +1 720 605 9147 (USA)
Your data will stay private and confidential