Four Iranian Hackers Charged With Cyberattacks On American Firms

April 25, 2024

An Ex-Amazon Security Engineer Gets 3 Years In Jail For Hacking And Crypto Theft

April 18, 2024

Hacker Fakes His Own Death To Avoid Child Support Payments

April 11, 2024

ATM Skimming Ring Leader Sentenced To 75 Months In Prison

April 4, 2024

German Authorities Dismantle the Nemezis Market Dark Web Marketplace

March 28, 2024

OWASP Top 10

OWASP Top 10: Broken Access Control Practical Overview

March 9, 2021

OWASP Top 10: Cryptographic Failures Practical Overview

February 8, 2021

OWASP Top 10: Injection Practical Overview

January 11, 2021

OWASP Top 10: Insecure Design Practical Overview

October 18, 2021

OWASP Top 10: Security Misconfiguration Practical Overview

March 22, 2021

OWASP Top 10: Vulnerable and Outdated Components Practical Overview

May 10, 2021

OWASP Top 10: Identification and Authentication Failures Practical Overview

January 25, 2021

OWASP Top 10: Software and Data Integrity Failures Practical Overview

October 18, 2021

OWASP Top 10: Security Logging and Monitoring Failures Practical Overview

May 24, 2021

OWASP Top 10: Server-Side Request Forgery Practical Overview

October 18, 2021

CWE Glossary

CWE is a trademark of the MITRE Corporation.

ImmuniWeb > CWE Knowledge Base > Missing Authentication for Critical Function [CWE-306]

Missing Authentication for Critical Function [CWE-306]

This weakness describes Missing Authentication for Critical Function.

Created: June 11, 2018
Latest Update: December 28, 2020

Want to have an in-depth understanding of all modern aspects of
Missing Authentication for Critical Function [CWE-306]? Read carefully this article and bookmark it to get back later, we regularly update this page.

1. Description

This weakness describes a case where software does not perform validation of user identity before allowing access to any privileged application functionality.

This vulnerability is often introduced during architecture and design phase of application development process.

A real-world example of such issue is a critical vulnerability in web interface of McAfee Advanced Threat Defense (CVE-2017-4052). The vulnerability allows a remote unauthenticated attacker to send specially crafted HTTP request to the affected application and change configuration settings or gain administrative access.

2. Potential impact

Depending on exposed functionality and application capabilities the impact of this vulnerability can vary from information disclosure to complete application compromise.

3. Attack patterns

The following CAPEC patterns are related to this weakness:

CAPEC-12: Choosing a Message/Channel Identifier on a Public/Multicast Channel
CAPEC-36: Using Unpublished Web Service APIs
CAPEC-40: Manipulating Writeable Terminal Devices
CAPEC-62: Cross Site Request Forgery (aka Session Riding)

4. Affected software

Missing authentication for critical function is a language independent issue that can appear in any multiuser environment.

5. Mitigations

As with most authentication related issues it is hard to provide universal recommendations on how to fix this vulnerability.

Developing a fix would require understanding of the current application security model and implemented access controls.

Three basic rules however can help you eliminate potential improper authorization issues:

Identify all privileged assets within your application (web pages that display sensitive data, website sections that contain privileged/administrative functionality, etc.)
Identify user roles within the application and their access permissions
Always check if the user should have privileges to access the asset

6. References

CWE-306: Missing Authentication for Critical Function [cwe.mitre.org]

Copyright Disclaimer: Any above-mentioned content can be copied and used for non-commercial purposes only if proper credit to ImmuniWeb is given.

↑ Back to Top

17.8k
86
79
104
50
More
76
75
70