CWE-287
DiscouragedImproper Authentication
Abstraction: Class · Status: Draft
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
5966 vulnerabilities reference this CWE, most recent first.
GHSA-MFFC-9GX5-99G3
Vulnerability from github – Published: 2022-05-14 01:46 – Updated: 2024-09-27 15:49The checkPassword function in python-kerberos does not authenticate the KDC it attempts to communicate with, which allows remote attackers to cause a denial of service (bad response), or have other unspecified impact by performing a man-in-the-middle attack.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "kerberos"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.2.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "pykerberos"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2015-3206"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": true,
"github_reviewed_at": "2024-02-23T20:53:08Z",
"nvd_published_at": "2017-08-25T18:29:00Z",
"severity": "CRITICAL"
},
"details": "The `checkPassword` function in python-kerberos does not authenticate the KDC it attempts to communicate with, which allows remote attackers to cause a denial of service (bad response), or have other unspecified impact by performing a man-in-the-middle attack.",
"id": "GHSA-mffc-9gx5-99g3",
"modified": "2024-09-27T15:49:07Z",
"published": "2022-05-14T01:46:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-3206"
},
{
"type": "WEB",
"url": "https://github.com/apple/ccs-pykerberos/issues/31"
},
{
"type": "WEB",
"url": "https://github.com/apple/ccs-pykerberos/commit/9cb61c93f9b24dd18a0a315f3df5445529c5c333"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1223802"
},
{
"type": "PACKAGE",
"url": "https://github.com/apple/ccs-pykerberos"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/kerberos/PYSEC-2017-49.yaml"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/pykerberos/PYSEC-2017-66.yaml"
},
{
"type": "WEB",
"url": "https://pypi.python.org/pypi/kerberos"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20150910143429/https://trac.calendarserver.org/ticket/833"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20200228090829/http://www.securityfocus.com/bid/74760"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2015/05/21/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "python-kerberos vulnerable to KDC spoofing attacks"
}
GHSA-MFHM-PR46-C4C3
Vulnerability from github – Published: 2022-05-17 00:01 – Updated: 2022-05-25 00:00The WPQA Builder Plugin WordPress plugin before 5.2, used as a companion plugin for the Discy and Himer , does not validate that the value passed to the image_id parameter of the ajax action wpqa_remove_image belongs to the requesting user, allowing any users (with privileges as low as Subscriber) to delete the profile pictures of any other user.
{
"affected": [],
"aliases": [
"CVE-2022-1349"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-16T15:15:00Z",
"severity": "MODERATE"
},
"details": "The WPQA Builder Plugin WordPress plugin before 5.2, used as a companion plugin for the Discy and Himer , does not validate that the value passed to the image_id parameter of the ajax action wpqa_remove_image belongs to the requesting user, allowing any users (with privileges as low as Subscriber) to delete the profile pictures of any other user.",
"id": "GHSA-mfhm-pr46-c4c3",
"modified": "2022-05-25T00:00:19Z",
"published": "2022-05-17T00:01:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1349"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/7ee95a53-5fe9-404c-a77a-d1218265e4aa"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MFJ5-CF8G-G2FV
Vulnerability from github – Published: 2024-12-02 20:04 – Updated: 2024-12-18 15:56Summary
When making any HTTP request, the automatically enabled and self-managed CookieStore (aka cookie jar) will silently replace explicitly defined Cookies with any that have the same name from the cookie jar. For services that operate with multiple users, this can result in one user's Cookie being used for another user's requests.
Details
This issue is described without security warnings here:
https://github.com/AsyncHttpClient/async-http-client/issues/1964
A PR to fix this issue has been made:
https://github.com/AsyncHttpClient/async-http-client/pull/2033
PoC
- Add an auth
Cookieto theCookieStore- This is identical to receiving an HTTP response that uses
Set-Cookie, as shown in issue #1964 above.
- This is identical to receiving an HTTP response that uses
- Handle a different user's request where the same
Cookieis provided as a passthrough, like a JWT, and attempt to use it by explicitly providing it. - Observe that the user's cookie in step 2 is passed as the Cookie in step 1.
Impact
This is generally going to be a problem for developers of backend services that implement third party auth features and use other features like token refresh. The moment a third party service responds by setting a cookie in the response, the CookieStore will effectively break almost every follow-up request (hopefully by being rejected, but possibly by revealing a different user's information).
If your service sets cookies based on the response that happens here, it's possible to lead to even greater levels of exposure.
Workaroud
You can avoid this issue by disabling the CookieStore during client creation:
DefaultAsyncHttpClientConfig.Builder clientBuilder = Dsl.config()
.setCookieStore(null)
// other configuration
;
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.asynchttpclient:async-http-client"
},
"ranges": [
{
"events": [
{
"introduced": "2.1.0"
},
{
"fixed": "2.12.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.asynchttpclient:async-http-client"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0.Beta1"
},
{
"fixed": "3.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-53990"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": true,
"github_reviewed_at": "2024-12-02T20:04:43Z",
"nvd_published_at": "2024-12-02T18:15:11Z",
"severity": "CRITICAL"
},
"details": "### Summary\n\nWhen making any HTTP request, the automatically enabled and self-managed `CookieStore` (aka cookie jar) will silently replace explicitly defined `Cookie`s with any that have the same name from the cookie jar. For services that operate with multiple users, this can result in one user\u0027s `Cookie` being used for another user\u0027s requests.\n\n### Details\n\nThis issue is described without security warnings here:\n\nhttps://github.com/AsyncHttpClient/async-http-client/issues/1964\n\nA PR to fix this issue has been made:\n\nhttps://github.com/AsyncHttpClient/async-http-client/pull/2033\n\n### PoC\n\n1. Add an auth `Cookie` to the `CookieStore`\n - This is identical to receiving an HTTP response that uses `Set-Cookie`, as shown in issue #1964 above.\n2. Handle a different user\u0027s request where the same `Cookie` is provided as a passthrough, like a JWT, and attempt to use it by explicitly providing it.\n3. Observe that the user\u0027s cookie in step 2 is passed as the Cookie in step 1.\n\n### Impact\n\nThis is generally going to be a problem for developers of backend services that implement third party auth features and use other features like token refresh. The moment a third party service responds by _setting_ a cookie in the response, the `CookieStore` will effectively break almost every follow-up request (hopefully by being rejected, but possibly by revealing a different user\u0027s information).\n\nIf your service sets cookies based on the response that happens here, it\u0027s possible to lead to even greater levels of exposure.\n\n### Workaroud\n\nYou can avoid this issue by disabling the `CookieStore` during client creation:\n\n```java\nDefaultAsyncHttpClientConfig.Builder clientBuilder = Dsl.config()\n .setCookieStore(null)\n // other configuration\n ;\n```",
"id": "GHSA-mfj5-cf8g-g2fv",
"modified": "2024-12-18T15:56:40Z",
"published": "2024-12-02T20:04:43Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/AsyncHttpClient/async-http-client/security/advisories/GHSA-mfj5-cf8g-g2fv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53990"
},
{
"type": "WEB",
"url": "https://github.com/AsyncHttpClient/async-http-client/issues/1964"
},
{
"type": "WEB",
"url": "https://github.com/AsyncHttpClient/async-http-client/pull/2033"
},
{
"type": "WEB",
"url": "https://github.com/AsyncHttpClient/async-http-client/commit/d5a83362f7aed81b93ebca559746ac9be0f95425"
},
{
"type": "PACKAGE",
"url": "https://github.com/AsyncHttpClient/async-http-client"
},
{
"type": "WEB",
"url": "https://github.com/AsyncHttpClient/async-http-client/blob/main/CHANGES.md#from-20-to-21"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "AsyncHttpClient (AHC) library\u0027s `CookieStore` replaces explicitly defined `Cookie`s"
}
GHSA-MFJQ-7FFC-QGMV
Vulnerability from github – Published: 2024-03-08 18:30 – Updated: 2024-03-08 18:30An improper authentication vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to compromise the security of the system via a network.
We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QTS 4.5.4.2627 build 20231225 and later QuTS hero h5.1.3.2578 build 20231110 and later QuTS hero h4.5.4.2626 build 20231225 and later QuTScloud c5.1.5.2651 and later
{
"affected": [],
"aliases": [
"CVE-2024-21899"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-08T17:15:22Z",
"severity": "CRITICAL"
},
"details": "An improper authentication vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to compromise the security of the system via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.3.2578 build 20231110 and later\nQTS 4.5.4.2627 build 20231225 and later\nQuTS hero h5.1.3.2578 build 20231110 and later\nQuTS hero h4.5.4.2626 build 20231225 and later\nQuTScloud c5.1.5.2651 and later\n",
"id": "GHSA-mfjq-7ffc-qgmv",
"modified": "2024-03-08T18:30:31Z",
"published": "2024-03-08T18:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21899"
},
{
"type": "WEB",
"url": "https://www.qnap.com/en/security-advisory/qsa-24-09"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MFM8-X888-WXXX
Vulnerability from github – Published: 2022-05-17 01:39 – Updated: 2022-05-17 01:39Java Open Single Sign-On Project Home (JOSSO) allows remote attackers to forge messages and bypass authentication via a SAML assertion that lacks a Signature element, aka a "Signature exclusion attack."
{
"affected": [],
"aliases": [
"CVE-2012-5352"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2012-10-09T23:55:00Z",
"severity": "MODERATE"
},
"details": "Java Open Single Sign-On Project Home (JOSSO) allows remote attackers to forge messages and bypass authentication via a SAML assertion that lacks a Signature element, aka a \"Signature exclusion attack.\"",
"id": "GHSA-mfm8-x888-wxxx",
"modified": "2022-05-17T01:39:46Z",
"published": "2022-05-17T01:39:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5352"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=865169"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/79241"
},
{
"type": "WEB",
"url": "http://www.nds.rub.de/media/nds/veroeffentlichungen/2012/08/22/BreakingSAML_3.pdf"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/55892"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-MFPX-CX7P-6JC6
Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2022-07-13 00:01HashiCorp Vault Enterprise 0.9.2 through 1.6.2 allowed the read of license metadata from DR secondaries without authentication. Fixed in 1.6.3.
{
"affected": [],
"aliases": [
"CVE-2021-27668"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-306"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-31T18:15:00Z",
"severity": "MODERATE"
},
"details": "HashiCorp Vault Enterprise 0.9.2 through 1.6.2 allowed the read of license metadata from DR secondaries without authentication. Fixed in 1.6.3.",
"id": "GHSA-mfpx-cx7p-6jc6",
"modified": "2022-07-13T00:01:13Z",
"published": "2022-05-24T19:12:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27668"
},
{
"type": "WEB",
"url": "https://discuss.hashicorp.com/t/hcsec-2021-05-vault-enterprise-s-dr-secondaries-exposed-license-metadata-without-authentication/21427"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202207-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MFRQ-67VR-MFX7
Vulnerability from github – Published: 2022-05-17 00:37 – Updated: 2022-05-17 00:37Zeeways SHAADICLONE 2.0 allows remote attackers to bypass authentication and gain administrative privileges via a direct request to admin/home.php.
{
"affected": [],
"aliases": [
"CVE-2008-6912"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2009-08-07T19:00:00Z",
"severity": "HIGH"
},
"details": "Zeeways SHAADICLONE 2.0 allows remote attackers to bypass authentication and gain administrative privileges via a direct request to admin/home.php.",
"id": "GHSA-mfrq-67vr-mfx7",
"modified": "2022-05-17T00:37:30Z",
"published": "2022-05-17T00:37:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-6912"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46502"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/7066"
},
{
"type": "WEB",
"url": "http://osvdb.org/49746"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/32222"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2008/3069"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-MFXF-3HWQ-XPWQ
Vulnerability from github – Published: 2022-05-17 00:38 – Updated: 2022-05-17 00:38MyShoutPro 1.2 allows remote attackers to bypass authentication and gain administrative access by setting the admin_access cookie to 1.
{
"affected": [],
"aliases": [
"CVE-2008-6738"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2009-04-21T18:30:00Z",
"severity": "HIGH"
},
"details": "MyShoutPro 1.2 allows remote attackers to bypass authentication and gain administrative access by setting the admin_access cookie to 1.",
"id": "GHSA-mfxf-3hwq-xpwq",
"modified": "2022-05-17T00:38:32Z",
"published": "2022-05-17T00:38:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-6738"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/43145"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/5845"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/29780"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-MG2F-G382-VVC6
Vulnerability from github – Published: 2024-09-05 12:31 – Updated: 2024-09-05 12:31This vulnerability allows unauthenticated remote attackers to bypass authentication and gain partial data access to the vulnerable Trellix IPS Manager with garbage data in response mostly
{
"affected": [],
"aliases": [
"CVE-2024-5956"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-305"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-05T11:15:12Z",
"severity": "MODERATE"
},
"details": "This vulnerability allows unauthenticated remote attackers to bypass authentication and gain partial data access to the vulnerable Trellix IPS Manager with garbage data in response mostly",
"id": "GHSA-mg2f-g382-vvc6",
"modified": "2024-09-05T12:31:16Z",
"published": "2024-09-05T12:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5956"
},
{
"type": "WEB",
"url": "https://thrive.trellix.com/s/article/000013870"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MG2G-8PWJ-R2J2
Vulnerability from github – Published: 2021-06-10 17:21 – Updated: 2022-03-15 16:38The GraphQL module accepts basic-auth as an authentication method by default. This can be used to bypass MFA authentication if the silverstripe/mfa module is installed, which is now a commonly installed module. A users password is still required though.
Basic-auth has been removed as a default authentication method. If desired, it can be re-enabled by adding it to the authenticators key of a schema, or on SilverStripe\Graphql\Auth\Handler
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "silverstripe/graphql"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.5.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "silverstripe/graphql"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0-alpha1"
},
{
"fixed": "4.0.0-alpha2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-26136"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-288"
],
"github_reviewed": true,
"github_reviewed_at": "2021-06-10T14:41:10Z",
"nvd_published_at": "2021-06-08T20:15:00Z",
"severity": "MODERATE"
},
"details": "The GraphQL module accepts basic-auth as an authentication method by default. This can be used to bypass MFA authentication if the silverstripe/mfa module is installed, which is now a commonly installed module. A users password is still required though.\n\nBasic-auth has been removed as a default authentication method. If desired, it can be re-enabled by adding it to the authenticators key of a schema, or on SilverStripe\\Graphql\\Auth\\Handler",
"id": "GHSA-mg2g-8pwj-r2j2",
"modified": "2022-03-15T16:38:13Z",
"published": "2021-06-10T17:21:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26136"
},
{
"type": "WEB",
"url": "https://forum.silverstripe.org/c/releases"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/graphql/CVE-2020-26136.yaml"
},
{
"type": "WEB",
"url": "https://www.silverstripe.org/blog/tag/release"
},
{
"type": "WEB",
"url": "https://www.silverstripe.org/download/security-releases"
},
{
"type": "WEB",
"url": "https://www.silverstripe.org/download/security-releases/cve-2020-26136"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Authentication bypass in SilverStripe GraphQL"
}
Mitigation
Strategy: Libraries or Frameworks
Use an authentication framework or library such as the OWASP ESAPI Authentication feature.
CAPEC-114: Authentication Abuse
An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker.
CAPEC-115: Authentication Bypass
An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place.
CAPEC-151: Identity Spoofing
Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials.
CAPEC-194: Fake the Source of Data
An adversary takes advantage of improper authentication to provide data or services under a falsified identity. The purpose of using the falsified identity may be to prevent traceability of the provided data or to assume the rights granted to another individual. One of the simplest forms of this attack would be the creation of an email message with a modified "From" field in order to appear that the message was sent from someone other than the actual sender. The root of the attack (in this case the email system) fails to properly authenticate the source and this results in the reader incorrectly performing the instructed action. Results of the attack vary depending on the details of the attack, but common results include privilege escalation, obfuscation of other attacks, and data corruption/manipulation.
CAPEC-22: Exploiting Trust in Client
An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
CAPEC-57: Utilizing REST's Trust in the System Resource to Obtain Sensitive Data
This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to obtain sensitive data once SSL is terminated.
CAPEC-593: Session Hijacking
This type of attack involves an adversary that exploits weaknesses in an application's use of sessions in performing authentication. The adversary is able to steal or manipulate an active session and use it to gain unathorized access to the application.
CAPEC-633: Token Impersonation
An adversary exploits a weakness in authentication to create an access token (or equivalent) that impersonates a different entity, and then associates a process/thread to that that impersonated token. This action causes a downstream user to make a decision or take action that is based on the assumed identity, and not the response that blocks the adversary.
CAPEC-650: Upload a Web Shell to a Web Server
By exploiting insufficient permissions, it is possible to upload a web shell to a web server in such a way that it can be executed remotely. This shell can have various capabilities, thereby acting as a "gateway" to the underlying web server. The shell might execute at the higher permission level of the web server, providing the ability the execute malicious code at elevated levels.
CAPEC-94: Adversary in the Middle (AiTM)
An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components.