SV.AUTH.BYPASS.MUST
Incorrect authentication
There can be use cases where the loggedIn cookie is checked to verify that the user is already logged in. If not, the code performs authentication with the user-provided username and password. If successful, it sets the loggedIn and user cookies to "remember" that the user has already logged in. The SV.AUTH.BYPASS.MUST checker verifies whether the user authentication method is sufficient and is not bypassed.
This checker reports a defect if "userName" and "password" are used in the body with either .getParameter() or .get().
Vulnerability and risk
When an actor claims to have a given identity and the software does not prove, or insufficiently proves, that the claim is correct, this weakness can lead to the exposure of resources or functionality to unintended actors. This weakness can possibly provide attackers with sensitive information or even the ability to execute arbitrary code.
Vulnerable code example 1
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
Map<String, String> result = new HashMap<>();
Cookie[] cookies = request.getCookies();
if (cookies != null) {
for (Cookie cookie : cookies) {
result.put(cookie.getName(), cookie.getValue());
}
}
if (result.isEmpty() || ! (result.get("loggedIn") != null && "true".equals(result.get("loggedIn")))) {
if (! AuthenticateUser(request.getParameter("userName"), request.getParameter("password"))) { //both username and password
System.out.error("Error: you need to log in first");
}
else {
// Set loggedin and user cookies.
Cookie loggedIn = new Cookie("loggedIn", "true");
Cookie userName = new Cookie("userName", request.getParameter("userName"));
}
}
}In this example, Klocwork reports an SV.AUTH.BYPASS.MUST defect on line 10, indicating, "Use of cookie loggedIn can lead to authentication bypass".
Fixed code example 1
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
if (! AuthenticateUser(request.getParameter("userName"), request.getParameter("password"))) { //both username and password
System.out.error("Error: you need to log in first");
}
else {
// Set loggedin and user cookies.
Cookie loggedIn = new Cookie("loggedIn", "true");
Cookie userName = new Cookie("userName", request.getParameter("userName"));
}
}In the fixed example, Klocwork no longer reports a defect because no cookie is used that can be used to bypass authentication.
Vulnerable code example 2
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
Map<String, String> result = new HashMap<>();
Cookie[] cookies = request.getCookies();
if (cookies != null) {
for (Cookie cookie : cookies) {
result.put(cookie.getName(), cookie.getValue());
}
}
if (result.isEmpty() || ! (result.get("loggedIn") != null && "true".equals(result.get("loggedIn")))) {
if (! checkUser(request.getParameter("userName"))) { //only username
System.out.error("Error: you need to log in first");
}
}
}In this example, Klocwork reports an SV.AUTH.BYPASS.MUST defect on line 10, indicating, "Use of cookie loggedIn can lead to authentication bypass".
Fixed code example 2
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
if (! checkUser(request.getParameter("userName"))) { //both username and password
System.out.error("Error: you need to log in first");
}
else {
// Set loggedin and user cookies.
Cookie loggedIn = new Cookie("loggedIn", "true");
Cookie userName = new Cookie("userName", request.getParameter("userName"));
}
}In this fixed example, Klocwork no longer reports a defect, because no cookie is used that can be used to bypass authentication.
Related checkers
External guidance
Security training
Application security training materials provided by Secure Code Warrior.
