CWE-289: Authentication Bypass by Alternate Name
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor.
常见后果
影响范围: Access Control
技术影响: Bypass Protection Mechanism
潜在缓解措施
阶段: Architecture and Design
策略: Input Validation
描述: Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.
阶段: Implementation
策略: Input Validation
阶段: Implementation
策略: Input Validation
描述: Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
观察示例
参考: CVE-2003-0317
Protection mechanism that restricts URL access can be bypassed using URL encoding.
参考: CVE-2004-0847
Bypass of authentication for files using "\" (backslash) or "%5C" (encoded backslash).
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. |
| Implementation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| PLOVER | - | Authentication bypass by alternate name | - |
| The CERT Oracle Secure Coding Standard for Java (2011) | IDS01-J | Normalize strings before validating them | CWE More Specific |
| SEI CERT Oracle Coding Standard for Java | IDS01-J | Normalize strings before validating them | CWE More Specific |