SV.AUTH.BYPASS.MIGHT
Incorrect authentication
This checker verifies whether the user authentication method is sufficient and is not bypassed. Project authentication can rely on the loggedIn cookie value. The SV.AUTH.BYPASS.MIGHT checker identifies cases where the loggedIn cookie may be used to bypass authentication.
This checker reports a defect if "userName" is used in the body with either .getParameter() or .get().
Vulnerability and risk
When an actor claims to have a given identity and the software does not prove, or insufficiently proves, that the claim is correct, this weakness can lead to the exposure of resources or functionality to unintended actors. This weakness can possibly provide attackers with sensitive information or even the ability to execute arbitrary code.
Vulnerable code example 1
public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
Map<String, String> result = new HashMap<>();
// result contains cookie values from request
...
if ("true".equals(result.get("loggedIn"))
{
if (! AuthenticateUser(request.getParameter("userName"), ... )) { // user authentication
System.out.error("Error: you need to log in first");
}
else {
Cookie loggedIn = new Cookie("loggedIn", "true");
...
}
}
}
Klocwork reports an SV.AUTH.BYPASS.MUST defect on line 6, indicating "Use of cookie 'loggedIn' can lead to authentication bypass". In this example, an person can set the loggedIn cookie in the browser and bypass the authentication.
Fixed code example 1
public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
Map<String, String> result = new HashMap<>();
if (! AuthenticateUser(request.getParameter("userName"), ... )) { // user authentication
System.out.error("Error: you need to log in first");
}
else {
Cookie loggedIn = new Cookie("loggedIn", "true");
...
}
}
In this fixed example, Klocwork no longer reports a defect as no cookie is used to bypass authentication.
Related checkers
External guidance
Security training
Application security training materials provided by Secure Code Warrior.
Extension
This checker can be tuned to look for specific cookies that are used in the project to identify user logged-in status. This can be done by using the @CheckerParam option in a .jkb file. If you tune this checker to add any custom values, the defaults are no longer used. If you want to include them as well, you can re-add them to your .jkb file along with the custom values. See Tuning Java analysis for more information..