logo

Authentication Bypass Using an Alternate Path or Channel

Incomplete Base
Structure: Simple
Description

This vulnerability occurs when a system has a primary login requirement, but attackers can find an unprotected backdoor or alternative route that completely bypasses those checks.

This vulnerability occurs when a system has a primary login requirement, but attackers can find an unprotected backdoor or alternative route that completely bypasses those checks.
Extended Description

Think of it like a building with a guarded front door but an unlocked side window. The main application flow correctly validates user credentials, but developers might overlook a secondary API endpoint, a hidden administrative page, a debug interface, or a direct file path that doesn't enforce the same authentication rules. Attackers discover these alternate channels through reconnaissance, fuzzing, or analyzing application structure, allowing them to access restricted functions or data without ever logging in. This often happens during development when temporary access points are created for testing and never removed, or when different system components have inconsistent security policies. To prevent it, you must ensure every single entry point into protected functionality—including APIs, files, and hidden directories—enforces the same robust authentication checks. Regular security audits should map all access paths and verify none provide a secret bypass to your core security gate.
Common Consequences 1
Scope: Access Control

Impact: Bypass Protection Mechanism
Potential Mitigations 1
Phase: Architecture and Design
Funnel all access through a single choke point to simplify how users can access a resource. For every access, perform a check to determine if the user has permissions to access the resource.
Demonstrative Examples 1

ID : DX-176

Register SECURE_ME is located at address 0xF00. A mirror of this register called COPY_OF_SECURE_ME is at location 0x800F00. The register SECURE_ME is protected from malicious agents and only allows access to select, while COPY_OF_SECURE_ME is not. Access control is implemented using an allowlist (as indicated by acl_oh_allowlist). The identity of the initiator of the transaction is indicated by the one hot input, incoming_id. This is checked against the acl_oh_allowlist (which contains a list of initiators that are allowed to access the asset). Though this example is shown in Verilog, it will apply to VHDL as well.

Code Example:

Informative
Verilog

module foo_bar(data_out, data_in, incoming_id, address, clk, rst_n); output [31:0] data_out; input [31:0] data_in, incoming_id, address; input clk, rst_n; wire write_auth, addr_auth; reg [31:0] data_out, acl_oh_allowlist, q; assign write_auth = | (incoming_id & acl_oh_allowlist) ? 1 : 0; always @*

verilog

Code Example:

Bad
Verilog

assign addr_auth = (address == 32'hF00) ? 1: 0;

The bugged line of code is repeated in the Bad example above. Weakness arises from the fact that the SECURE_ME register can be modified by writing to the shadow register COPY_OF_SECURE_ME, the address of COPY_OF_SECURE_ME should also be included in the check. That buggy line of code should instead be replaced as shown in the Good Code Snippet below.

Code Example:

Good
Verilog

assign addr_auth = (address == 32'hF00 || address == 32'h800F00) ? 1: 0;
Observed Examples 7
CVE-2000-1179Router allows remote attackers to read system logs without authentication by directly connecting to the login screen and typing certain control characters.
CVE-1999-1454Attackers with physical access to the machine may bypass the password prompt by pressing the ESC (Escape) key.
CVE-1999-1077OS allows local attackers to bypass the password protection of idled sessions via the programmer's switch or CMD-PWR keyboard sequence, which brings up a debugger that the attacker can use to disable the lock.
CVE-2003-0304Direct request of installation file allows attacker to create administrator accounts.
CVE-2002-0870Attackers may gain additional privileges by directly requesting the web management URL.
CVE-2002-0066Bypass authentication via direct request to named pipe.
CVE-2003-1035User can avoid lockouts by using an API instead of the GUI to conduct brute force password guessing.
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Architecture and Design
Architecture and Design
Related Attack Patterns
Related Weaknesses
ChildOf: Missing Authentication for Critical Function (CWE-306)
ChildOf: Improper Access Control (CWE-284)
PeerOf: Unprotected Alternate Channel (CWE-420)
Taxonomy Mapping
  • PLOVER
  • OWASP Top Ten 2007
Notes
Relationshipoverlaps Unprotected Alternate Channel