CWE-602: Client-Side Enforcement of Server-Side Security
ID
CWE-602
Abstraction
Class
Structure
Simple
Status
Draft
Number of CVEs
31
The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.
When the server relies on protection mechanisms placed on the client side, an attacker can modify the client-side behavior to bypass the protection mechanisms, resulting in potentially unexpected interactions between the client and server. The consequences will vary, depending on what the mechanisms are trying to protect.
Modes of Introduction
| Phase | Note |
|---|---|
| Architecture and Design | COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. |
| Architecture and Design | Consider a product that consists of two or more processes or nodes that must interact closely, such as a client/server model. If the product uses protection schemes in the client in order to defend from attacks against the server, and the server does not use the same schemes, then an attacker could modify the client in a way that bypasses those schemes. This is a fundamental design flaw that is primary to many weaknesses. |
Applicable Platforms
| Type | Class | Name | Prevalence |
|---|---|---|---|
| Language | Not Language-Specific | ||
| Technology | ICS/OT | ||
| Technology | Mobile |
Relationships
| View | Weakness | |||||||
|---|---|---|---|---|---|---|---|---|
| # ID | View | Status | # ID | Name | Abstraction | Structure | Status | |
| CWE-1000 | Research Concepts | Draft | CWE-693 | Protection Mechanism Failure | Pillar | Simple | Draft | |
| CWE-1000 | Research Concepts | Draft | CWE-471 | Modification of Assumed-Immutable Data (MAID) | Base | Simple | Draft | |
| CWE-1000 | Research Concepts | Draft | CWE-290 | Authentication Bypass by Spoofing | Base | Simple | Incomplete | |
| CWE-1000 | Research Concepts | Draft | CWE-300 | Channel Accessible by Non-Endpoint | Class | Simple | Draft | |
Common Attack Pattern Enumeration and Classification (CAPEC)
The Common Attack Pattern Enumeration and Classification (CAPECâ„¢) effort provides a publicly available catalog of common attack patterns that helps users understand how adversaries exploit weaknesses in applications and other cyber-enabled capabilities.
CAPEC at Mitre.org| # ID | Name | Weaknesses |
|---|---|---|
| CAPEC-21 | Exploitation of Trusted Identifiers | CWE-602 |
| CAPEC-31 | Accessing/Intercepting/Modifying HTTP Cookies | CWE-602 |
| CAPEC-162 | Manipulating Hidden Fields | CWE-602 |
| CAPEC-202 | Create Malicious Client | CWE-602 |
| CAPEC-207 | Removing Important Client Functionality | CWE-602 |
| CAPEC-208 | Removing/short-circuiting 'Purse' logic: removing/mutating 'cash' decrements | CWE-602 |
| CAPEC-383 | Harvesting Information via API Event Monitoring | CWE-602 |
| CAPEC-384 | Application API Message Manipulation via Man-in-the-Middle | CWE-602 |
| CAPEC-385 | Transaction or Event Tampering via Application API Manipulation | CWE-602 |
| CAPEC-386 | Application API Navigation Remapping | CWE-602 |
| CAPEC-387 | Navigation Remapping To Propagate Malicious Content | CWE-602 |
| CAPEC-388 | Application API Button Hijacking | CWE-602 |
CVEs Published
CVSS Severity
CVSS Severity - By Year
CVSS Base Score
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |
Loading...