Corgea LogoCorgea Security Hub

CWE-306: Missing Authentication for Critical Function

Learn about CWE-306 (Missing Authentication for Critical Function), its security impact, exploitation methods, and prevention guidelines.

What is Missing Authentication for Critical Function?

• Overview: Missing Authentication for Critical Function (CWE-306) occurs when a software application does not perform authentication for critical functionalities that require verification of user identity, potentially allowing unauthorized users to access or manipulate sensitive operations.

• Exploitation Methods:

  • Attackers can exploit this vulnerability by directly accessing URLs or APIs associated with critical functions without providing any credentials.
  • Common attack patterns include leveraging lack of authentication to invoke administrative functions, sensitive data retrieval, or other resource-intensive operations.

• Security Impact:

  • Direct consequences of successful exploitation include unauthorized access to sensitive data or critical system functions.
  • Potential cascading effects involve further exploitation of additional vulnerabilities due to unauthorized system access.
  • Business impact includes data breaches, financial loss, reputational damage, and possible legal implications.

• Prevention Guidelines:

  • Implement robust authentication mechanisms for all critical functions, ensuring that only authorized users can access them.
  • Security best practices include adopting the principle of least privilege, regularly reviewing and updating access controls, and employing multi-factor authentication.
  • Recommended tools and frameworks include using established libraries and frameworks that provide authentication support, such as OAuth, OpenID Connect, or SAML, and conducting regular security audits and penetration testing.

Corgea can automatically detect and fix Missing Authentication for Critical Function in your codebase. Try Corgea free today.

Technical Details

Likelihood of Exploit: High

Affected Languages: Not Language-Specific

Affected Technologies: Cloud Computing, ICS/OT

Vulnerable Code Example

from flask import Flask, request, jsonify

app = Flask(__name__)

@app.route('/delete_user', methods=['POST'])
def delete_user():
    user_id = request.form.get('user_id')
    # Vulnerability: No authentication or authorization checks
    # Anyone can delete any user without proper verification
    delete_user_from_database(user_id)  # Assumes this function deletes a user
    return jsonify({"status": "success", "message": "User deleted"}), 200

Explanation:

  • Missing Authentication: The endpoint /delete_user allows any request to delete a user without verifying the identity of the requester. This poses a significant security risk as unauthorized users can perform critical actions.
  • Missing Authorization: There are no checks to ensure that the requester has the necessary permissions to delete a user, allowing any authenticated user to perform this action regardless of their role.

How to fix Missing Authentication for Critical Function?

To address this vulnerability, the code should include both authentication and authorization checks. This ensures that only authenticated users with the appropriate permissions can perform critical actions like deleting a user.

Steps to Fix:

  1. Authentication: Verify that the user is logged in and their session is valid using secure methods like token-based authentication.
  2. Authorization: Check that the user has the necessary permissions to delete a user, such as being an admin or having specific roles.
  3. Use Secure Tokens: Implement secure token handling (e.g., JWT) to manage sessions and validate user identities.
  4. Error Handling: Provide meaningful error messages without exposing sensitive information.

Fixed Code Example

from flask import Flask, request, jsonify, abort
from functools import wraps

app = Flask(__name__)

# Mock function for user authentication
def authenticate_user(token):
    # Implement actual logic to decode token and validate user
    return token == "valid_token"

# Mock function to check if the user is authorized
def is_authorized_to_delete(user_id):
    # Implement actual logic to check user's permissions
    return user_id == "admin"

def auth_required(f):
    @wraps(f)
    def decorated_function(*args, **kwargs):
        token = request.headers.get("Authorization")
        if not token or not authenticate_user(token):
            abort(401, description="Unauthorized: Invalid token")
        return f(*args, **kwargs)
    return decorated_function

@app.route('/delete_user', methods=['POST'])
@auth_required
def delete_user():
    user_id = request.form.get('user_id')
    if not is_authorized_to_delete(user_id):
        abort(403, description="Forbidden: User not authorized")
    delete_user_from_database(user_id)  # Assumes this function deletes a user
    return jsonify({"status": "success", "message": "User deleted"}), 200

Key Changes and Security Controls:

  • Authentication Check: Added an auth_required decorator to ensure the user is authenticated using a token, enhancing security by validating the user's identity before allowing access to the function.
  • Authorization Check: Implemented a function is_authorized_to_delete to verify that the user has the necessary permissions to delete another user, ensuring that only authorized users can perform this action.
  • Error Handling: Used abort with appropriate HTTP status codes (401 for unauthorized and 403 for forbidden) to handle unauthorized access attempts gracefully, providing clear feedback without exposing sensitive system details.
Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-306: Missing Authentication for Critical Function and get remediation guidance

Start for free and no credit card needed.