CWE Glossary

CWE is a trademark of the MITRE Corporation.

Stay in Touch

Weekly newsletter on AI, Application Security & Cybercrime


Your data will stay confidential Private and Confidential

Missing Authentication for Critical Function [CWE-306]

This weakness describes Missing Authentication for Critical Function.

Missing Authentication for Critical Function [CWE-306]

Created: June 11, 2018
Latest Update: January 10, 2019

Table of Content

  1. Description
  2. Potential impact
  3. Attack patterns
  4. Affected software
  5. Mitigations
  6. References

1. Description

This weakness describes a case where software does not perform validation of user identity before allowing access to any privileged application functionality.

This vulnerability is often introduced during architecture and design phase of application development process.

A real-world example of such issue is a critical vulnerability in web interface of McAfee Advanced Threat Defense (CVE-2017-4052). The vulnerability allows a remote unauthenticated attacker to send specially crafted HTTP request to the affected application and change configuration settings or gain administrative access.

2. Potential impact

Depending on exposed functionality and application capabilities the impact of this vulnerability can vary from information disclosure to complete application compromise.

How to Detect Missing Authentication for Critical Function Vulnerabilities
Free Website Security Test
  • Non-intrusive GDPR Test
  • Non-intrusive PCI DSS Test
Try Free Test
ImmuniWeb® On-Demand
  • Complete GDPR Audit
  • Complete PCI DSS Audit
  • Remediation Guidelines
  • DevSecOps Integration
Learn More

3. Attack patterns

The following CAPEC patterns are related to this weakness:

4. Affected software

Missing authentication for critical function is a language independent issue that can appear in any multiuser environment.

5. Mitigations

As with most authentication related issues it is hard to provide universal recommendations on how to fix this vulnerability.

Developing a fix would require understanding of the current application security model and implemented access controls.

Three basic rules however can help you eliminate potential improper authorization issues:

  1. Identify all privileged assets within your application (web pages that display sensitive data, website sections that contain privileged/administrative functionality, etc.)
  2. Identify user roles within the application and their access permissions
  3. Always check if the user should have privileges to access the asset

6. References

  1. CWE-306: Missing Authentication for Critical Function [cwe.mitre.org]

Copyright Disclaimer: Any above-mentioned content can be copied and used for non-commercial purposes only if proper credit to ImmuniWeb is given.

↑ Back to Top
Quick Start
Products
Free Trial
Newsletter