{"@ID": "602", "@Name": "Client-Side Enforcement of Server-Side Security", "@Abstraction": "Class", "@Structure": "Simple", "@Status": "Draft", "Description": "The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.", "Extended_Description": "When the server relies on protection mechanisms placed on the client side, an attacker can modify the client-side behavior to bypass the protection mechanisms, resulting in potentially unexpected interactions between the client and server. The consequences will vary, depending on what the mechanisms are trying to protect.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "693", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "CanPrecede", "@CWE_ID": "471", "@View_ID": "1000"}, {"@Nature": "PeerOf", "@CWE_ID": "290", "@View_ID": "1000"}, {"@Nature": "PeerOf", "@CWE_ID": "300", "@View_ID": "1000"}]}, "Weakness_Ordinalities": {"Weakness_Ordinality": {"Ordinality": "Primary"}}, "Applicable_Platforms": {"Language": {"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}, "Technology": [{"@Class": "ICS/OT", "@Prevalence": "Undetermined"}, {"@Class": "Mobile", "@Prevalence": "Undetermined"}]}, "Modes_Of_Introduction": {"Introduction": [{"Phase": "Architecture and Design", "Note": "COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic."}, {"Phase": "Architecture and Design", "Note": "Consider a product that consists of two or more processes or nodes that must interact closely, such as a client/server model. If the product uses protection schemes in the client in order to defend from attacks against the server, and the server does not use the same schemes, then an attacker could modify the client in a way that bypasses those schemes. This is a fundamental design flaw that is primary to many weaknesses."}]}, "Likelihood_Of_Exploit": "Medium", "Common_Consequences": {"Consequence": [{"Scope": ["Access Control", "Availability"], "Impact": ["Bypass Protection Mechanism", "DoS: Crash, Exit, or Restart"], "Note": "Client-side validation checks can be easily bypassed, allowing malformed or unexpected input to pass into the application, potentially as trusted data. This may lead to unexpected states, behaviors and possibly a resulting crash."}, {"Scope": "Access Control", "Impact": ["Bypass Protection Mechanism", "Gain Privileges or Assume Identity"], "Note": "Client-side checks for authentication can be easily bypassed, allowing clients to escalate their access levels and perform unintended actions."}]}, "Detection_Methods": {"Detection_Method": [{"Method": "Fuzzing", "Description": "Use dynamic tools and techniques that\n\t     interact with the software using large test suites with\n\t     many diverse inputs, such as fuzz testing (fuzzing),\n\t     robustness testing, and fault injection. The software's\n\t     operation may slow down, but it should not become\n\t     unstable, crash, or generate incorrect\n\t     results."}, {"Method": "Manual Analysis", "Description": "Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules."}]}, "Potential_Mitigations": {"Mitigation": [{"Phase": "Architecture and Design", "Description": {"xhtml:p": ["For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.", "Even though client-side checks provide minimal benefits with respect to server-side security, they are still useful. First, they can support intrusion detection. If the server receives input that should have been rejected by the client, then it may be an indication of an attack. Second, client-side error-checking can provide helpful feedback to the user about the expectations for valid input. Third, there may be a reduction in server-side processing time for accidental input errors, although this is typically a small savings."]}}, {"Phase": "Architecture and Design", "Description": "If some degree of trust is required between the two entities, then use integrity checking and strong authentication to ensure that the inputs are coming from a trusted source. Design the product so that this trust is managed in a centralized fashion, especially if there are complex or numerous communication channels, in order to reduce the risks that the implementer will mistakenly omit a check in a single code path."}]}, "Demonstrative_Examples": {"Demonstrative_Example": [{"Intro_Text": "This example contains client-side code that checks if the user authenticated successfully before sending a command. The server-side code performs the authentication in one step, and executes the command in a separate step.", "Body_Text": ["CLIENT-SIDE (client.pl)", "SERVER-SIDE (server.pl):", "The server accepts 2 commands, \"AUTH\" which authenticates the user, and \"CHANGE-ADDRESS\" which updates the address field for the username. The client performs the authentication and only sends a CHANGE-ADDRESS for that user if the authentication succeeds. Because the client has already performed the authentication, the server assumes that the username in the CHANGE-ADDRESS is the same as the authenticated user. An attacker could modify the client by removing the code that sends the \"AUTH\" command and simply executing the CHANGE-ADDRESS."], "Example_Code": [{"@Nature": "Good", "@Language": "Perl", "xhtml:div": {"xhtml:br": [null, null, null, null, null, null, null, null], "xhtml:div": [{"@style": "margin-left:1em;", "xhtml:div": {"xhtml:br": [null, null], "xhtml:i": "# username/pass is valid, go ahead and update the info!", "#text": "writeSocket($sock, \"CHANGE-ADDRESS $username $address\\n\";"}}, {"@style": "margin-left:1em;", "#text": "print \"ERROR: Invalid Authentication!\\n\";"}], "#text": "$server = \"server.example.com\";$username = AskForUserName();$password = AskForPassword();$address = AskForAddress();$sock = OpenSocket($server, 1234);writeSocket($sock, \"AUTH $username $password\\n\");$resp = readSocket($sock);if ($resp eq \"success\") {}else {}"}}, {"@Nature": "Bad", "@Language": "Perl", "xhtml:div": {"xhtml:br": [null, null, null], "xhtml:div": [{"@style": "margin-left:1em;", "xhtml:div": {"xhtml:br": [null, null, null, null, null, null], "xhtml:i": ["# does not close the socket on failure; assumes the", "# user will try again"], "#text": "($username, $pass) = split(/\\s+/, $args, 2);$result = AuthenticateUser($username, $pass);writeSocket($sock, \"$result\\n\");"}}, {"@style": "margin-left:1em;", "xhtml:div": [{"@style": "margin-left:1em;", "xhtml:br": null, "#text": "$res = UpdateDatabaseRecord($username, \"address\", $args);writeSocket($sock, \"SUCCESS\\n\");"}, {"@style": "margin-left:1em;", "#text": "writeSocket($sock, \"FAILURE -- address is malformed\\n\");"}], "xhtml:br": null, "#text": "if (validateAddress($args)) {}else {}"}], "#text": "$sock = acceptSocket(1234);($cmd, $args) = ParseClientRequest($sock);if ($cmd eq \"AUTH\") {}elsif ($cmd eq \"CHANGE-ADDRESS\") {}"}}]}, {"@Demonstrative_Example_ID": "DX-153", "Intro_Text": "In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were \"insecure by design\" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications.", "Body_Text": "Multiple vendors used client-side authentication in their OT products."}]}, "Observed_Examples": {"Observed_Example": [{"Reference": "CVE-2024-50653", "Description": "Chain: e-commerce product has a \"front-end restriction\" for coupon use (CWE-602), but the server does not restrict the number of requests for the same coupon (CWE-799)", "Link": "https://www.cve.org/CVERecord?id=CVE-2024-50653"}, {"Reference": "CVE-2022-33139", "Description": "SCADA system only uses client-side authentication, allowing adversaries to impersonate other users.", "Link": "https://www.cve.org/CVERecord?id=CVE-2022-33139"}, {"Reference": "CVE-2006-6994", "Description": "ASP program allows upload of .asp files by bypassing client-side checks.", "Link": "https://www.cve.org/CVERecord?id=CVE-2006-6994"}, {"Reference": "CVE-2007-0163", "Description": "steganography products embed password information in the carrier file, which can be extracted from a modified client.", "Link": "https://www.cve.org/CVERecord?id=CVE-2007-0163"}, {"Reference": "CVE-2007-0164", "Description": "steganography products embed password information in the carrier file, which can be extracted from a modified client.", "Link": "https://www.cve.org/CVERecord?id=CVE-2007-0164"}, {"Reference": "CVE-2007-0100", "Description": "client allows server to modify client's configuration and overwrite arbitrary files.", "Link": "https://www.cve.org/CVERecord?id=CVE-2007-0100"}]}, "Taxonomy_Mappings": {"Taxonomy_Mapping": {"@Taxonomy_Name": "OWASP Top Ten 2004", "Entry_ID": "A1", "Entry_Name": "Unvalidated Input", "Mapping_Fit": "CWE More Specific"}}, "Related_Attack_Patterns": {"Related_Attack_Pattern": [{"@CAPEC_ID": "162"}, {"@CAPEC_ID": "202"}, {"@CAPEC_ID": "207"}, {"@CAPEC_ID": "208"}, {"@CAPEC_ID": "21"}, {"@CAPEC_ID": "31"}, {"@CAPEC_ID": "383"}, {"@CAPEC_ID": "384"}, {"@CAPEC_ID": "385"}, {"@CAPEC_ID": "386"}, {"@CAPEC_ID": "387"}, {"@CAPEC_ID": "388"}]}, "References": {"Reference": [{"@External_Reference_ID": "REF-7", "@Section": "Chapter 23, \"Client-Side Security Is an Oxymoron\" Page 687"}, {"@External_Reference_ID": "REF-1283"}]}, "Mapping_Notes": {"Usage": "Allowed-with-Review", "Rationale": "This CWE entry is a Class and might have Base-level children that would be more appropriate", "Comments": "Examine children of this entry to see if there is a better fit", "Reasons": {"Reason": {"@Type": "Abstraction"}}}, "Content_History": {"Submission": {"Submission_Name": "CWE Community", "Submission_Date": "2007-05-07", "Submission_Version": "Draft 6", "Submission_ReleaseDate": "2007-05-07", "Submission_Comment": "Submitted by members of the CWE community to extend early CWE versions"}, "Modification": [{"Modification_Name": "Eric Dalci", "Modification_Organization": "Cigital", "Modification_Date": "2008-07-01", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-09-08", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-01-12", "Modification_Version": "1.2", "Modification_ReleaseDate": "2009-01-12", "Modification_Comment": "updated Demonstrative_Examples, Description, Likelihood_of_Exploit, Name, Observed_Examples, Other_Notes, Potential_Mitigations, Relationships, Research_Gaps, Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-03-10", "Modification_Version": "1.3", "Modification_ReleaseDate": "2009-03-10", "Modification_Comment": "updated Potential_Mitigations"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-05-27", "Modification_Version": "1.4", "Modification_ReleaseDate": "2009-05-27", "Modification_Comment": "updated Demonstrative_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-07-27", "Modification_Version": "1.5", "Modification_ReleaseDate": "2009-07-27", "Modification_Comment": "updated Related_Attack_Patterns, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-10-29", "Modification_Version": "1.6", "Modification_ReleaseDate": "2009-10-29", "Modification_Comment": "updated Applicable_Platforms, Common_Consequences, Description"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-02-16", "Modification_Version": "1.8", "Modification_ReleaseDate": "2010-02-16", "Modification_Comment": "updated References"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-04-05", "Modification_Version": "1.8.1", "Modification_ReleaseDate": "2010-04-05", "Modification_Comment": "updated Related_Attack_Patterns"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-12-13", "Modification_Version": "1.11", "Modification_ReleaseDate": "2010-12-13", "Modification_Comment": "updated Related_Attack_Patterns"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-03-29", "Modification_Version": "1.12", "Modification_ReleaseDate": "2011-03-30", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-01", "Modification_Version": "1.13", "Modification_ReleaseDate": "2011-06-01", "Modification_Comment": "updated Common_Consequences"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-05-11", "Modification_Version": "2.2", "Modification_ReleaseDate": "2012-05-15", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-07-30", "Modification_Version": "2.8", "Modification_ReleaseDate": "2014-07-31", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-05-03", "Modification_Version": "2.11", "Modification_ReleaseDate": "2017-05-05", "Modification_Comment": "updated Related_Attack_Patterns"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-11-08", "Modification_Version": "3.0", "Modification_ReleaseDate": "2017-11-08", "Modification_Comment": "updated Applicable_Platforms, Enabling_Factors_for_Exploitation, Modes_of_Introduction, References, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2018-03-27", "Modification_Version": "3.1", "Modification_ReleaseDate": "2018-03-27", "Modification_Comment": "updated References"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2019-06-20", "Modification_Version": "3.3", "Modification_ReleaseDate": "2019-06-20", "Modification_Comment": "updated Related_Attack_Patterns"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-02-24", "Modification_Version": "4.0", "Modification_ReleaseDate": "2020-02-24", "Modification_Comment": "updated Applicable_Platforms, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-10-28", "Modification_Version": "4.6", "Modification_ReleaseDate": "2021-10-28", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2022-04-28", "Modification_Version": "4.7", "Modification_ReleaseDate": "2022-04-28", "Modification_Comment": "updated Research_Gaps"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2022-10-13", "Modification_Version": "4.9", "Modification_ReleaseDate": "2022-10-13", "Modification_Comment": "updated Demonstrative_Examples, Description, Observed_Examples, References, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-01-31", "Modification_Version": "4.10", "Modification_ReleaseDate": "2023-01-31", "Modification_Comment": "updated Applicable_Platforms, Relationships, Type"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-04-03", "Modification_Version": "4.17", "Modification_ReleaseDate": "2025-04-03", "Modification_Comment": "updated Demonstrative_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Detection_Factors, Observed_Examples, Potential_Mitigations, Relationships"}], "Previous_Entry_Name": [{"@Date": "2008-04-11", "#text": "Client-Side Enforcement of Server-Side Security"}, {"@Date": "2009-01-12", "#text": "Design Principle Violation: Client-Side Enforcement of Server-Side Security"}]}}
