Authentication Bypass by Assumed-Immutable Data
This vulnerability occurs when an authentication system incorrectly treats certain data as unchangeable, when in fact an attacker can manipulate it to bypass login or verification checks.
Developers often assume that specific data points, like hidden form fields, environment variables, or certain HTTP headers, are secure and cannot be altered by a user. However, attackers can intercept and modify this 'assumed-immutable' data during transit or exploit client-side controls, tricking the application into granting unauthorized access. To prevent this, never trust client-side data for critical security decisions. Always re-validate authentication state and user permissions on the server using a trusted, server-controlled session mechanism. Treat all data from the client—including cookies, headers, and hidden parameters—as potentially malicious and subject to verification against the authoritative server-side session store.
Impact: Bypass Protection Mechanism
Code Example:
java- 10DEPRECATED: ASP.NET Environment Issues
- 13ASP.NET Misconfiguration: Password in Configuration File
- 21DEPRECATED: Pathname Traversal and Equivalence Errors
- 31Path Traversal: 'dir\..\..\filename'
- 39Path Traversal: 'C:dirname'
- 45Path Equivalence: 'file...name' (Multiple Internal Dot)
- 77Improper Neutralization of Special Elements used in a Command ('Command Injection')
- 274Improper Handling of Insufficient Privileges
- PLOVER
- OWASP Top Ten 2004
- The CERT Oracle Secure Coding Standard for Java (2011)