logo

Client-Side Enforcement of Server-Side Security

Draft Class
Structure: Simple
Description

This vulnerability occurs when a server incorrectly trusts the client to enforce critical security rules, such as input validation or access controls, instead of performing these checks itself.

Extended Description

This flaw creates a fundamental trust issue. Since an attacker has full control over their own client—whether it's a browser, mobile app, or API client—they can easily bypass, remove, or manipulate any client-side security checks. The server, operating under the false assumption that these checks are reliable, then processes malicious or unauthorized requests. The impact depends entirely on what the client was supposed to protect. Common consequences include unauthorized data access, privilege escalation, data corruption, or complete system compromise. The root cause is a design error: security must always be enforced at the point where trust is established and data is ultimately processed—the server.
Common Consequences 2
Scope: Access ControlAvailability

Impact: Bypass Protection MechanismDoS: Crash, Exit, or Restart

Client-side validation checks can be easily bypassed, allowing malformed or unexpected input to pass into the application, potentially as trusted data. This may lead to unexpected states, behaviors and possibly a resulting crash.

Scope: Access Control

Impact: Bypass Protection MechanismGain Privileges or Assume Identity

Client-side checks for authentication can be easily bypassed, allowing clients to escalate their access levels and perform unintended actions.
Potential Mitigations 4
Phase: Architecture and Design
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. Even though client-side checks provide minimal benefits with respect to server-side security, they are still useful. First, they can support intrusion detection. If the server receives input that should have been rejected by the client, then it may be an indication of an attack. Second, client-side error-checking can provide helpful feedback to the user about the expectations for valid input. Third, there may be a reduction in server-side processing time for accidental input errors, although this is typically a small savings.
Phase: Architecture and Design
If some degree of trust is required between the two entities, then use integrity checking and strong authentication to ensure that the inputs are coming from a trusted source. Design the product so that this trust is managed in a centralized fashion, especially if there are complex or numerous communication channels, in order to reduce the risks that the implementer will mistakenly omit a check in a single code path.
Phase: Testing
Use dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.
Phase: Testing
Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.
Demonstrative Examples 2
This example contains client-side code that checks if the user authenticated successfully before sending a command. The server-side code performs the authentication in one step, and executes the command in a separate step.
CLIENT-SIDE (client.pl)

Code Example:

Good
Perl
perl

username/pass is valid, go ahead and update the info!*

perl
SERVER-SIDE (server.pl):
Code Example:
Bad
Perl
perl


does not close the socket on failure; assumes the*


perl


The server accepts 2 commands, "AUTH" which authenticates the user, and "CHANGE-ADDRESS" which updates the address field for the username. The client performs the authentication and only sends a CHANGE-ADDRESS for that user if the authentication succeeds. Because the client has already performed the authentication, the server assumes that the username in the CHANGE-ADDRESS is the same as the authenticated user. An attacker could modify the client by removing the code that sends the "AUTH" command and simply executing the CHANGE-ADDRESS.
ID : DX-153
In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications.
Multiple vendors used client-side authentication in their OT products.
  
Observed Examples 5
CVE-2022-33139SCADA system only uses client-side authentication, allowing adversaries to impersonate other users.
CVE-2006-6994ASP program allows upload of .asp files by bypassing client-side checks.
CVE-2007-0163steganography products embed password information in the carrier file, which can be extracted from a modified client.
CVE-2007-0164steganography products embed password information in the carrier file, which can be extracted from a modified client.
CVE-2007-0100client allows server to modify client's configuration and overwrite arbitrary files.
  
References 2
Writing Secure Code
Michael Howard and David LeBlanc
Microsoft Press
04-12-2002
https://www.microsoftpressstore.com/store/writing-secure-code-9780735617223
ID: REF-7
OT:ICEFALL: The legacy of "insecure by design" and its implications for certifications and risk management
Forescout Vedere Labs
20-06-2022
https://www.forescout.com/resources/ot-icefall-report/
ID: REF-1283
 
  
  
 
 
Likelihood of Exploit 
 
 
 
 Medium 
 
 
  
 
 
Applicable Platforms 
 
 
 
 
 
Languages:
 
 
 Not Language-Specific : Undetermined 
 
 
Technologies:
 
 
 ICS/OT : UndeterminedMobile : Undetermined 
 
 
 
  
 
 
Modes of Introduction 
 
 
 
 
 
  Architecture and Design  
 
  Architecture and Design  
 
 
 
  
Related Attack Patterns 
        
 
 
Related Weaknesses 
 
 
 
 
  ChildOf:
 Protection Mechanism Failure (CWE-693) 
  CanPrecede:
 Modification of Assumed-Immutable Data (MAID) (CWE-471) 
  PeerOf:
 Authentication Bypass by Spoofing (CWE-290) 
  PeerOf:
 Channel Accessible by Non-Endpoint (CWE-300) 
 
 
 
 
Taxonomy Mapping 
  • OWASP Top Ten 2004