logo

Use of Client-Side Authentication

Draft Base
Structure: Simple
Description

This vulnerability occurs when an application places its authentication logic solely within the client-side code, such as in a mobile app or web browser, without enforcing the same checks on the server. Attackers can bypass authentication by modifying the client to skip these checks entirely.

Extended Description

Relying on client-side authentication creates a critical security flaw because the attacker controls the client environment. They can easily decompile an app, inspect JavaScript, or use debugging tools to analyze and remove the authentication logic. Since the server blindly trusts the client's claim of being authenticated, this allows unauthorized access to protected functions and data. To prevent this, authentication must always be verified and enforced on the server. Every request for a protected resource or action should be validated server-side using a secure session or token that the client cannot forge. Treat all client-side code as inherently untrustworthy and ensure the server is the final authority on user identity and permissions.
Common Consequences 1
Scope: Access Control

Impact: Bypass Protection MechanismGain Privileges or Assume Identity
Potential Mitigations 1
Phase: Architecture and Design
Do not rely on client side data. Always perform server side authentication.
Demonstrative Examples 1

ID : DX-153

In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications.
Multiple vendors used client-side authentication in their OT products.
Observed Examples 2
CVE-2022-33139SCADA system only uses client-side authentication, allowing adversaries to impersonate other users.
CVE-2006-0230Client-side check for a password allows access to a server using crafted XML requests from a modified client.
References 2
The Art of Software Security Assessment
Mark Dowd, John McDonald, and Justin Schuh
Addison Wesley
2006
ID: REF-62
OT:ICEFALL: The legacy of "insecure by design" and its implications for certifications and risk management
Forescout Vedere Labs
20-06-2022
https://www.forescout.com/resources/ot-icefall-report/
ID: REF-1283
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Technologies:
ICS/OT : Undetermined
Modes of Introduction
Architecture and Design
Implementation
Related Weaknesses
ChildOf: Weak Authentication (CWE-1390)
ChildOf: Client-Side Enforcement of Server-Side Security (CWE-602)
PeerOf: Channel Accessible by Non-Endpoint (CWE-300)
PeerOf: Reliance on Security Through Obscurity (CWE-656)