CWE-522: Insufficiently Protected CredentialsWeakness ID: 522 Vulnerability Mapping:
ALLOWEDThis CWE ID could be used to map to real-world vulnerabilities in limited situations requiring careful review (with careful review of mapping notes) Abstraction: ClassClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. |
Description The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. Common Consequences This table specifies different individual consequences associated with the weakness. The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in exploiting this weakness. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.Scope | Impact | Likelihood |
---|
Access Control
| Technical Impact: Gain Privileges or Assume Identity An attacker could gain access to user accounts and access sensitive data used by the user accounts. | |
Potential Mitigations
Phase: Architecture and Design Use an appropriate security mechanism to protect the credentials. |
Phase: Architecture and Design Make appropriate use of cryptography to protect the credentials. |
Phase: Implementation Use industry standards to protect the credentials (e.g. LDAP, keystore, etc.). |
Relationships This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore. Relevant to the view "Research Concepts" (CWE-1000) Nature | Type | ID | Name |
---|
ChildOf | Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. | 668 | Exposure of Resource to Wrong Sphere | ChildOf | Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. | 1390 | Weak Authentication | ParentOf | Base - a weakness
that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 256 | Plaintext Storage of a Password | ParentOf | Base - a weakness
that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 257 | Storing Passwords in a Recoverable Format | ParentOf | Base - a weakness
that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 260 | Password in Configuration File | ParentOf | Base - a weakness
that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 261 | Weak Encoding for Password | ParentOf | Base - a weakness
that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 523 | Unprotected Transport of Credentials | ParentOf | Base - a weakness
that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 549 | Missing Password Field Masking |
This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore. Relevant to the view "Weaknesses for Simplified Mapping of Published Vulnerabilities" (CWE-1003) Nature | Type | ID | Name |
---|
ChildOf | Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. | 287 | Improper Authentication |
This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore. Relevant to the view "Architectural Concepts" (CWE-1008) Nature | Type | ID | Name |
---|
MemberOf | Category - a CWE entry that contains a set of other entries that share a common characteristic. | 1013 | Encrypt Data |
Modes Of Introduction The different Modes of Introduction provide information about how and when this weakness may be introduced. The Phase identifies a point in the life cycle at which introduction may occur, while the Note provides a typical scenario related to introduction during the given phase.Phase | Note |
---|
Architecture and Design | COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. | Implementation | |
Demonstrative Examples Example 1 This code changes a user's password. (bad code) Example Language: PHP
$user = $_GET['user']; $pass = $_GET['pass']; $checkpass = $_GET['checkpass']; if ($pass == $checkpass) { SetUserPassword($user, $pass); }
While the code confirms that the requesting user typed the same new password twice, it does not confirm that the user requesting the password change is the same user whose password will be changed. An attacker can request a change of another user's password and gain control of the victim's account. Example 2 The following code reads a password from a properties file and uses the password to connect to a database. (bad code) Example Language: Java
... Properties prop = new Properties(); prop.load(new FileInputStream("config.properties")); String password = prop.getProperty("password"); DriverManager.getConnection(url, usr, password); ...
This code will run successfully, but anyone who has access to config.properties can read the value of password. If a devious employee has access to this information, they can use it to break into the system. Example 3 The following code reads a password from the registry and uses the password to create a new network credential. (bad code) Example Language: Java
... String password = regKey.GetValue(passKey).toString(); NetworkCredential netCred = new NetworkCredential(username,password,domain); ...
This code will run successfully, but anyone who has access to the registry key used to store the password can read the value of password. If a devious employee has access to this information, they can use it to break into the system Example 4 Both of these examples verify a password by comparing it to a stored compressed version. (bad code) Example Language: C
int VerifyAdmin(char *password) { if (strcmp(compress(password), compressed_password)) { printf("Incorrect Password!\n"); return(0); } printf("Entering Diagnostic Mode...\n"); return(1); }
(bad code) Example Language: Java
int VerifyAdmin(String password) { if (passwd.Equals(compress(password), compressed_password)) { return(0); }
//Diagnostic Mode
return(1); }
Because a compression algorithm is used instead of a one way hashing algorithm, an attacker can recover compressed passwords stored in the database. Example 5 The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but they are stored in cleartext. This Java example shows a properties file with a cleartext username / password pair. (bad code) Example Language: Java
# Java Web App ResourceBundle properties file
... webapp.ldap.username=secretUsername webapp.ldap.password=secretPassword ...
The following example shows a portion of a configuration file for an ASP.Net application. This configuration file includes username and password information for a connection to a database but the pair is stored in cleartext. (bad code) Example Language: ASP.NET
... <connectionStrings> <add name="ud_DEV" connectionString="connectDB=uDB; uid=db2admin; pwd=password; dbalias=uDB;" providerName="System.Data.Odbc" /> </connectionStrings> ...
Username and password information should not be included in a configuration file or a properties file in cleartext as this will allow anyone who can read the file access to the resource. If possible, encrypt this information. Example 6 In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications. Multiple vendors used cleartext transmission or storage of passwords in their OT products. Observed Examples Reference | Description |
| A messaging platform serializes all elements of User/Group objects, making private information available to adversaries |
| Initialization file contains credentials that can be decoded using a "simple string transformation" |
| Python-based RPC framework enables pickle functionality by default, allowing clients to unpickle untrusted data. |
| Programmable Logic Controller (PLC) sends sensitive information in plaintext, including passwords and session tokens. |
| Building Controller uses a protocol that transmits authentication credentials in plaintext. |
| Programmable Logic Controller (PLC) sends password in plaintext. |
| Remote Terminal Unit (RTU) uses a driver that relies on a password stored in plaintext. |
| Web app allows remote attackers to change the passwords of arbitrary users without providing the original password, and possibly perform other unauthorized actions. |
| Web application password change utility doesn't check the original password. |
| product authentication succeeds if user-provided MD5 hash matches the hash in its database; this can be subjected to replay attacks. |
| chain: product generates predictable MD5 hashes using a constant value combined with username, allowing authentication bypass. |
Detection Methods
Automated Static Analysis Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) |
Memberships This MemberOf Relationships table shows additional CWE Categories and Views that reference this weakness as a member. This information is often useful in understanding where a weakness fits within the context of external information sources. Vulnerability Mapping Notes Usage: ALLOWED-WITH-REVIEW (this CWE ID could be used to map to real-world vulnerabilities in limited situations requiring careful review) | Reason: Abstraction | Rationale: This CWE entry is a Class and might have Base-level children that would be more appropriate | Comments: Examine children of this entry to see if there is a better fit |
Taxonomy Mappings Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
OWASP Top Ten 2007 | A7 | CWE More Specific | Broken Authentication and Session Management |
OWASP Top Ten 2004 | A3 | CWE More Specific | Broken Authentication and Session Management |
References
[REF-44] Michael Howard, David LeBlanc
and John Viega. "24 Deadly Sins of Software Security". "Sin 19: Use of Weak Password-Based Systems." Page 279. McGraw-Hill. 2010.
|
|
Content History Submissions |
---|
Submission Date | Submitter | Organization |
---|
2006-07-19 (CWE Draft 3, 2006-07-19) | Anonymous Tool Vendor (under NDA) | | | Modifications |
---|
Modification Date | Modifier | Organization |
---|
2008-07-01 | Eric Dalci | Cigital | updated Potential_Mitigations, Time_of_Introduction | 2008-09-08 | CWE Content Team | MITRE | updated Relationships, Other_Notes, Taxonomy_Mappings | 2009-05-27 | CWE Content Team | MITRE | updated Related_Attack_Patterns | 2011-03-29 | CWE Content Team | MITRE | updated Relationships | 2011-06-01 | CWE Content Team | MITRE | updated Common_Consequences | 2012-05-11 | CWE Content Team | MITRE | updated Common_Consequences, Demonstrative_Examples, Observed_Examples, References, Related_Attack_Patterns, Relationships | 2012-10-30 | CWE Content Team | MITRE | updated Demonstrative_Examples, Potential_Mitigations | 2014-06-23 | CWE Content Team | MITRE | updated Other_Notes, Relationships | 2014-07-30 | CWE Content Team | MITRE | updated Relationships | 2017-05-03 | CWE Content Team | MITRE | updated Related_Attack_Patterns | 2017-11-08 | CWE Content Team | MITRE | updated Demonstrative_Examples, Modes_of_Introduction, Relationships, Taxonomy_Mappings | 2018-03-27 | CWE Content Team | MITRE | updated Relationships | 2019-01-03 | CWE Content Team | MITRE | updated Related_Attack_Patterns | 2019-06-20 | CWE Content Team | MITRE | updated Related_Attack_Patterns, Relationships | 2020-02-24 | CWE Content Team | MITRE | updated Description, Relationships, Type | 2020-08-20 | CWE Content Team | MITRE | updated Related_Attack_Patterns, Relationships | 2021-03-15 | CWE Content Team | MITRE | updated Demonstrative_Examples | 2021-07-20 | CWE Content Team | MITRE | updated Relationships | 2021-10-28 | CWE Content Team | MITRE | updated Relationships | 2022-10-13 | CWE Content Team | MITRE | updated Demonstrative_Examples, Observed_Examples, References, Relationships | 2023-01-31 | CWE Content Team | MITRE | updated Applicable_Platforms, Observed_Examples, Relationships | 2023-04-27 | CWE Content Team | MITRE | updated Detection_Factors, Relationships | 2023-06-29 | CWE Content Team | MITRE | updated Mapping_Notes | 2023-10-26 | CWE Content Team | MITRE | updated Observed_Examples |
More information is available — Please edit the custom filter or select a different filter.
|