CWE-602: Client-Side Enforcement of Server-Side Security
Learn about CWE-602 (Client-Side Enforcement of Server-Side Security), its security impact, exploitation methods, and prevention guidelines.
What is Client-Side Enforcement of Server-Side Security?
• Overview: Client-Side Enforcement of Server-Side Security (CWE-602) occurs when a server depends on the client to enforce security mechanisms. This reliance can be exploited because clients can be manipulated by attackers, undermining the intended security.
• Exploitation Methods:
- Attackers can modify the client-side code or use custom clients to bypass security.
- Common attack patterns include intercepting and altering data sent to the server, disabling client-side validation, and replaying requests.
• Security Impact:
- Direct consequences include unauthorized access, data manipulation, and service disruption.
- Potential cascading effects might involve privilege escalation, data breaches, and integrity loss.
- Business impact can range from financial loss to reputational damage and compliance violations.
• Prevention Guidelines:
- Specific code-level fixes include implementing all security checks and validations on the server side.
- Security best practices involve minimizing client-side logic that affects security, using HTTPS to secure data in transit, and conducting regular security audits.
- Recommended tools and frameworks include using server-side frameworks that provide built-in security features, employing web application firewalls, and utilizing automated security testing tools.
Technical Details
Likelihood of Exploit:
Affected Languages: Not Language-Specific
Affected Technologies: ICS/OT, Mobile
Vulnerable Code Example
JavaScript Example
// This JavaScript code checks if the user is an admin by relying on a client-side variable
let userIsAdmin = false;
// Function to check admin access
function isAdmin() {
return userIsAdmin; // Vulnerability: The client can manipulate this value
}
// Client-side logic to control access
if (isAdmin()) {
console.log("Access granted to admin section."); // The client can bypass this check
} else {
console.log("Access denied.");
}
Explanation
- In this example, the
userIsAdminvariable is defined and checked entirely on the client side. A malicious user can easily alter this value using browser developer tools, settinguserIsAdmintotrueto gain unauthorized access to admin sections. - This demonstrates the vulnerability of relying solely on client-side checks for critical access control.
How to fix Client-Side Enforcement of Server-Side Security?
Fixed Code Example
JavaScript Example
// Fixed: Use server-side validation to enforce security
const express = require('express');
const app = express();
const session = require('express-session');
// Middleware for session management
app.use(session({
secret: 'your-secret-key',
resave: false,
saveUninitialized: true
}));
// Middleware to check admin access
function checkAdminAccess(req, res, next) {
// Assume req.session.user is set after authentication middleware
if (req.session.user && req.session.user.role === 'admin') { // Server-side check
next(); // User is authorized
} else {
res.status(403).send('Access denied.'); // Unauthorized access
}
}
// Route protected by server-side check
app.get('/admin', checkAdminAccess, (req, res) => {
res.send('Welcome to the admin section.');
});
app.listen(3000, () => console.log('Server running on port 3000'));
Explanation
- The fixed version uses an Express middleware function
checkAdminAccessto enforce access control on the server. It checks the user's role within the server-side session object, which is established after proper authentication. - The
req.session.userobject is assumed to be set after successful authentication, ensuring the server manages user roles and permissions. - This approach prevents the client from manipulating access controls, as all critical checks are performed server-side, ensuring secure and reliable authorization.