Authentication / Missing Authentication for Critical Function

Description:

Missing Authentication for Critical Function (CWE-306) is a vulnerability that happens when there is no authentication for critical functions. This vulnerability can occur in web and API applications. According to the Common Weakness Enumeration (CWE), this vulnerability is listed in the CWE Top 25 (2022) and is a subclass of the CWE-285 Improper Authorization. This vulnerability can lead to remote attackers gaining access to sensitive data or being able to modify the system without being detected. According to the OWASP Testing Guide, this vulnerability can be detected by using automated tools or manual testing of administrative, authentication and authorization functions.

Risk

The risk of this vulnerability is very high, as it can be used to gain unauthorized access to a system. This can lead to the attacker being able to access or modify sensitive data or the system itself. It can also be used to carry out malicious activities such as data exfiltration, data corruption or system destruction.

Solution

The best way to avoid this vulnerability is to ensure that all critical functions are protected by an authentication mechanism. This could be a combination of username and password, two-factor authentication, or other forms of authentication. It is also important to ensure that the authentication mechanism is regularly tested and updated to ensure that it is secure.

Example

The following code is an example of a vulnerable authentication system:

if(userInput.equals("password")) {
    //do some critical action
}

This code checks to see if the user input is equal to the hardcoded "password" string and if it is, it will perform a critical action. This is an example of missing authentication for a critical function, as there is no authentication mechanism in place to ensure that only authorized users are able to perform the critical action.