CWE-602 - Client-Side Enforcement of Server-Side Security
CWE-602 Medium
- Abstraction:
- Class
- Structure:
- Simple
- Status:
- Draft
- Weakness Name
Client-Side Enforcement of Server-Side Security
- Description
The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.
When the server relies on protection mechanisms placed on the client side, an attacker can modify the client-side behavior to bypass the protection mechanisms, resulting in potentially unexpected interactions between the client and server. The consequences will vary, depending on what the mechanisms are trying to protect.
- Common Consequences
Scope: Access Control, Availability
Impact: Bypass Protection Mechanism, DoS: Crash, Exit, or Restart
Notes: Client-side validation checks can be easily bypassed, allowing malformed or unexpected input to pass into the application, potentially as trusted data. This may lead to unexpected states, behaviors and possibly a resulting crash.
Scope: Access Control
Impact: Bypass Protection Mechanism, Gain Privileges or Assume Identity
Notes: Client-side checks for authentication can be easily bypassed, allowing clients to escalate their access levels and perform unintended actions.
- Related Weaknesses
- Release Date:
- 2007-05-07
- Latest Modification Date:
- 2023-06-29
Free security scan for your website