- CWE-22: Path Traversal
- CWE-78: OS Command Injection
- CWE-79: Cross-Site Scripting
- CWE-89: SQL Injection
- CWE-90: LDAP Injection
- CWE-91: XML Injection
- CWE-94: Code Injection
- CWE-98: PHP File Inclusion
- CWE-113: HTTP Response Splitting
- CWE-119: Buffer Errors
- CWE-130: Improper Handling of Length Parameter Inconsistency
- CWE-193: Off-by-one Error
- CWE-200: Information Exposure
- CWE-211: Information Exposure Through Externally-Generated Error Message
- CWE-236: Improper Handling of Undefined Parameters
- CWE-276: Incorrect Default Permissions
- CWE-284: Improper Access Control
- CWE-285: Improper Authorization
- CWE-287: Improper Authentication
- CWE-297: Improper Validation of Certificate with Host Mismatch
- CWE-306: Missing Authentication for Critical Function
- CWE-312: Cleartext Storage of Sensitive Information
- CWE-345: Insufficient Verification of Data Authenticity
- CWE-352: Cross-Site Request Forgery
- CWE-384: Session Fixation
- CWE-427: Uncontrolled Search Path Element
- CWE-434: Unrestricted Upload of File with Dangerous Type
- CWE-476: NULL Pointer Dereference
- CWE-521: Weak Password Requirements
- CWE-601: Open Redirect
- CWE-611: Improper Restriction of XML External Entity Reference ('XXE')
- CWE-613: Insufficient Session Expiration
- CWE-618: Exposed Unsafe ActiveX Method
- CWE-671: Lack of Administrator Control over Security
- CWE-798: Use of Hard-coded Credentials
- CWE-799: Improper Control of Interaction Frequency
- CWE-822: Untrusted Pointer Dereference
- CWE-835: Infinite Loop
- CWE-918: Server-Side Request Forgery (SSRF)
- CWE-942: Overly Permissive Cross-domain Whitelist
CWE is a trademark of the MITRE Corporation.
Missing Authentication for Critical Function [CWE-306]
This weakness describes Missing Authentication for Critical Function.
Created: June 11, 2018
Latest Update: December 28, 2020
Table of Content
Want to have an in-depth understanding of all modern aspects of Missing Authentication for Critical Function [CWE-306]? Read carefully this article and bookmark it to get back later, we regularly update this page.
This weakness describes a case where software does not perform validation of user identity before allowing access to any privileged application functionality.
This vulnerability is often introduced during architecture and design phase of application development process.
A real-world example of such issue is a critical vulnerability in web interface of McAfee Advanced Threat Defense (CVE-2017-4052). The vulnerability allows a remote unauthenticated attacker to send specially crafted HTTP request to the affected application and change configuration settings or gain administrative access.
2. Potential impact
Depending on exposed functionality and application capabilities the impact of this vulnerability can vary from information disclosure to complete application compromise.
3. Attack patterns
The following CAPEC patterns are related to this weakness:
- CAPEC-12: Choosing a Message/Channel Identifier on a Public/Multicast Channel
- CAPEC-36: Using Unpublished Web Service APIs
- CAPEC-40: Manipulating Writeable Terminal Devices
- CAPEC-62: Cross Site Request Forgery (aka Session Riding)
4. Affected software
Missing authentication for critical function is a language independent issue that can appear in any multiuser environment.
As with most authentication related issues it is hard to provide universal recommendations on how to fix this vulnerability.
Developing a fix would require understanding of the current application security model and implemented access controls.
Three basic rules however can help you eliminate potential improper authorization issues:
- Identify all privileged assets within your application (web pages that display sensitive data, website sections that contain privileged/administrative functionality, etc.)
- Identify user roles within the application and their access permissions
- Always check if the user should have privileges to access the asset
- CWE-306: Missing Authentication for Critical Function [cwe.mitre.org]
Copyright Disclaimer: Any above-mentioned content can be copied and used for non-commercial purposes only if proper credit to ImmuniWeb is given.↑ Back to Top