Total Tests:

CWE Glossary

CWE is a trademark of the MITRE Corporation.

Stay in Touch

Get exclusive updates and invitations to our events and webinars:

Your data will stay confidential Private and Confidential

Missing Authentication for Critical Function [CWE-306]

This weakness describes Missing Authentication for Critical Function.

Missing Authentication for Critical Function [CWE-306]

Created: June 11, 2018
Latest Update: December 28, 2020

Table of Content

  1. Description
  2. Potential impact
  3. Attack patterns
  4. Affected software
  5. Mitigations
  6. References

Want to have an in-depth understanding of all modern aspects of
Missing Authentication for Critical Function [CWE-306]? Read carefully this article and bookmark it to get back later, we regularly update this page.

1. Description

This weakness describes a case where software does not perform validation of user identity before allowing access to any privileged application functionality.

This vulnerability is often introduced during architecture and design phase of application development process.

A real-world example of such issue is a critical vulnerability in web interface of McAfee Advanced Threat Defense (CVE-2017-4052). The vulnerability allows a remote unauthenticated attacker to send specially crafted HTTP request to the affected application and change configuration settings or gain administrative access.

2. Potential impact

Depending on exposed functionality and application capabilities the impact of this vulnerability can vary from information disclosure to complete application compromise.

How to Detect Missing Authentication for Critical Function Vulnerabilities
Website Security Test
  • GDPR & PCI DSS Test
  • Website CMS Security Test
  • CSP & HTTP Headers Check
  • WordPress & Drupal Scanning
Try For Free

3. Attack patterns

The following CAPEC patterns are related to this weakness:

4. Affected software

Missing authentication for critical function is a language independent issue that can appear in any multiuser environment.

5. Mitigations

As with most authentication related issues it is hard to provide universal recommendations on how to fix this vulnerability.

Developing a fix would require understanding of the current application security model and implemented access controls.

Three basic rules however can help you eliminate potential improper authorization issues:

  1. Identify all privileged assets within your application (web pages that display sensitive data, website sections that contain privileged/administrative functionality, etc.)
  2. Identify user roles within the application and their access permissions
  3. Always check if the user should have privileges to access the asset

6. References

  1. CWE-306: Missing Authentication for Critical Function []

Copyright Disclaimer: Any above-mentioned content can be copied and used for non-commercial purposes only if proper credit to ImmuniWeb is given.

↑ Back to Top
Book a Call Ask a Question
Talk to ImmuniWeb Experts
ImmuniWeb AI Platform
Have a technical question?

Our security experts will answer within
one business day. No obligations.

Have a sales question?
Tel: +41 22 560 6800 (Switzerland)
Tel: +1 720 605 9147 (USA)
Your data will stay private and confidential