CWE-302 使用假设不可变数据进行的认证绕过

Authentication Bypass by Assumed-Immutable Data

结构: Simple

Abstraction: Variant

状态: Incomplete

被利用可能性: unkown


The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.


  • cwe_Nature: ChildOf cwe_CWE_ID: 287 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 287 cwe_View_ID: 699 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 807 cwe_View_ID: 1000


Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}


范围 影响 注释
Access Control Bypass Protection Mechanism


['Architecture and Design', 'Operation', 'Implementation']


Implement proper protection for immutable data (e.g. environment variable, hidden form fields, etc.)


In the following example, an "authenticated" cookie is used to determine whether or not a user should be granted access to a system.

bad Java

boolean authenticated = new Boolean(getCookieValue("authenticated")).booleanValue();
if (authenticated) {

Of course, modifying the value of a cookie on the client-side is trivial, but many developers assume that cookies are essentially immutable.


标识 说明 链接
CVE-2002-0367 DebPloit
CVE-2004-0261 Web auth
CVE-2002-1730 Authentication bypass by setting certain cookies to "true".
CVE-2002-1734 Authentication bypass by setting certain cookies to "true".
CVE-2002-2064 Admin access by setting a cookie.
CVE-2002-2054 Gain privileges by setting cookie.
CVE-2004-1611 Product trusts authentication information in cookie.
CVE-2005-1708 Authentication bypass by setting admin-testing variable to true.
CVE-2005-1787 Bypass auth and gain privileges by setting a variable.


映射的分类名 ImNode ID Fit Mapped Node Name
PLOVER Authentication Bypass via Assumed-Immutable Data
OWASP Top Ten 2004 A1 CWE More Specific Unvalidated Input
The CERT Oracle Secure Coding Standard for Java (2011) SEC02-J Do not base security checks on untrusted sources


  • CAPEC-10
  • CAPEC-13
  • CAPEC-21
  • CAPEC-274
  • CAPEC-31
  • CAPEC-39
  • CAPEC-45
  • CAPEC-77