CWE-301 Base Borrador Medium likelihood

Reflection Attack in an Authentication Protocol

A reflection attack is a flaw in mutual authentication protocols that allows an attacker to impersonate a legitimate user without knowing the secret key. This happens when an attacker can bounce, or…

Definición

What is CWE-301?

A reflection attack is a flaw in mutual authentication protocols that allows an attacker to impersonate a legitimate user without knowing the secret key. This happens when an attacker can bounce, or 'reflect,' a server's own challenge back to it using a second connection, tricking the system into granting access.
In a typical mutual authentication setup, both the client and server share a secret key. To prove identity without sending the key directly, they exchange random challenges that must be encrypted with that shared secret. The vulnerability arises when the same key is used across multiple sessions and the protocol design allows an attacker to use the server's response from one connection to answer a challenge in another. Here’s how the attack works in practice: An attacker initiates a connection to the server, posing as a legitimate user, and receives a challenge. Instead of solving it, the attacker opens a second connection to the server. In this new session, the attacker sends the server's original challenge as its own. The server helpfully encrypts it and sends the response back, which the attacker then uses to correctly answer the first connection's challenge. This bypasses authentication because the server essentially authenticates itself, granting the attacker access.
Impacto en el mundo real

Real-world CVEs caused by CWE-301

  • CVE-2005-3435

    product authentication succeeds if user-provided MD5 hash matches the hash in its database; this can be subjected to replay attacks.

Cómo lo explotan los atacantes

Ruta del atacante paso a paso

  1. 1

    Identifica una ruta de código que maneje entrada no confiable sin validación.

  2. 2

    Crea un payload que ejercite el comportamiento inseguro — inyección, traversal, overflow o abuso de lógica.

  3. 3

    Envía el payload a través de una solicitud normal y observa la reacción de la aplicación.

  4. 4

    Itera hasta que la respuesta filtre datos, ejecute código del atacante o escale privilegios.

Ejemplo de código vulnerable

Vulnerable C

The following example demonstrates the weakness.

Vulnerable C 
unsigned char *simple_digest(char *alg,char *buf,unsigned int len, int *olen) {
  	const EVP_MD *m;
  	EVP_MD_CTX ctx;
  	unsigned char *ret;
  	OpenSSL_add_all_digests();
  	if (!(m = EVP_get_digestbyname(alg))) return NULL;
  	if (!(ret = (unsigned char*)malloc(EVP_MAX_MD_SIZE))) return NULL;
  	EVP_DigestInit(&ctx, m);
  	EVP_DigestUpdate(&ctx,buf,len);
  	EVP_DigestFinal(&ctx,ret,olen);
  	return ret;
  }
  unsigned char *generate_password_and_cmd(char *password_and_cmd) {
  	simple_digest("sha1",password,strlen(password_and_cmd)
  	...
  	);
  }
Ejemplo de código seguro

Secure pseudo

Seguro pseudo 
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
  const safe = validateAndEscape(input);
  return executeWithGuards(safe);
}
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Lista de prevención

How to prevent CWE-301

  • Architecture and Design Use different keys for the initiator and responder or of a different type of challenge for the initiator and responder.
  • Architecture and Design Let the initiator prove its identity before proceeding.
Señales de detección

How to detect CWE-301

SAST High

Ejecuta análisis estático (SAST) sobre el código buscando el patrón inseguro en el flujo de datos.

DAST Moderate

Ejecuta pruebas dinámicas de seguridad de aplicaciones (DAST) contra el endpoint en vivo.

Runtime Moderate

Vigila los logs en tiempo de ejecución para detectar trazas de excepción inusuales, entradas malformadas o intentos de bypass de autorización.

Code review Moderate

Revisión de código: marca cualquier código nuevo que maneje entrada desde esta superficie sin usar los helpers validados del framework.

Auto-corrección de Plexicus

Plexicus detecta automáticamente CWE-301 y abre un PR de corrección en menos de 60 segundos.

Codex Remedium escanea cada commit, identifica esta debilidad concreta y entrega un pull request listo para revisión con el parche. Sin tickets. Sin traspasos.

Solicitar demo Probar Plexicus gratis
Preguntas frecuentes

Frequently asked questions

¿Qué es CWE-301?

A reflection attack is a flaw in mutual authentication protocols that allows an attacker to impersonate a legitimate user without knowing the secret key. This happens when an attacker can bounce, or 'reflect,' a server's own challenge back to it using a second connection, tricking the system into granting access.

¿Qué gravedad tiene CWE-301?

MITRE califica la probabilidad de explotación como Media — la explotación es realista pero suele requerir condiciones específicas.

¿Qué lenguajes o plataformas se ven afectados por CWE-301?

MITRE no ha especificado plataformas afectadas para esta CWE — puede aplicar a la mayoría de los stacks de aplicaciones.

¿Cómo puedo prevenir CWE-301?

Use different keys for the initiator and responder or of a different type of challenge for the initiator and responder. Let the initiator prove its identity before proceeding.

¿Cómo detecta y corrige Plexicus CWE-301?

El motor SAST de Plexicus detecta la firma de flujo de datos para CWE-301 en cada commit. Cuando hay coincidencia, nuestro agente Codex Remedium abre un PR de corrección con el código corregido, las pruebas y un resumen de una línea para el revisor.

¿Dónde puedo aprender más sobre CWE-301?

MITRE publica la definición canónica en https://cwe.mitre.org/data/definitions/301.html. También puedes consultar la documentación de OWASP y NIST para guías relacionadas.

Debilidades relacionadas

Weaknesses related to CWE-301

CWE-1390 Padre

Weak Authentication

This vulnerability occurs when a system's login or identity verification process is too easy to bypass or fool. While it attempts to check…

CWE-1391 Hermano

Use of Weak Credentials

This vulnerability occurs when a system relies on weak authentication credentials—like default passwords, hard-coded keys, or easily…

CWE-262 Hermano

Not Using Password Aging

This vulnerability occurs when a system lacks password expiration policies, allowing users to keep the same password indefinitely.

CWE-263 Hermano

Password Aging with Long Expiration

The system enforces password changes, but the time allowed between changes is excessively long, weakening security.

CWE-289 Hermano

Authentication Bypass by Alternate Name

This vulnerability occurs when a system checks access based on a resource or user name, but fails to account for all the different names…

CWE-290 Hermano

Authentication Bypass by Spoofing

This weakness occurs when an application's authentication system can be tricked into accepting forged or manipulated credentials, allowing…

CWE-294 Hermano

Authentication Bypass by Capture-replay

This vulnerability occurs when an attacker can intercept and record legitimate authentication traffic, then replay it later to gain…

CWE-302 Hermano

Authentication Bypass by Assumed-Immutable Data

This vulnerability occurs when an authentication system incorrectly treats certain data as unchangeable, when in fact an attacker can…

CWE-303 Hermano

Incorrect Implementation of Authentication Algorithm

This weakness occurs when a developer implements a standard authentication algorithm, but makes critical mistakes in the code that cause…

Recursos

Further reading

Listo cuando tú lo estés

Deja de pagar por desarrollador.
Empieza a cerrar el bucle.

Plexicus es el ASPM nativo de IA que escanea, filtra, corrige, pentestea y explica — de forma autónoma. Desarrolladores ilimitados, repos ilimitados, acciones de IA de uso justo. Nivel gratuito real, €269/mo anual cuando estés listo.

Comenzar gratis Reservar una demo