SV.AUTH.BYPASS.MIGHT

Incorrect authentication

This checker verifies whether the user authentication method is sufficient and is not bypassed. Project authentication can rely on the loggedIn cookie value. The SV.AUTH.BYPASS.MIGHT checker identifies cases where the loggedIn cookie may be used to bypass authentication.

This checker reports a defect if "userName" is used in the body with either .getParameter() or .get().

Vulnerability and risk

When an actor claims to have a given identity and the software does not prove, or insufficiently proves, that the claim is correct, this weakness can lead to the exposure of resources or functionality to unintended actors. This weakness can possibly provide attackers with sensitive information or even the ability to execute arbitrary code.

Vulnerable code example 1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
  import jakarta.servlet.http.*;
   public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
       Map<String, String> result = new HashMap<>();
 
       // result contains cookie values from request
       ...
       if ("true".equals(result.get("loggedIn"))
       {
           if (! AuthenticateUser(request.getParameter("username"), ... )) { // user authentication
               System.out.error("Error: you need to log in first");
          }
          else {
              Cookie loggedIn = new Cookie("loggedIn", "true");
              ...
          }
      }
  }

Klocwork reports an SV.AUTH.BYPASS.MIGHT defect on line 7, indicating, "Use of cookie 'loggedIn' can lead to authentication bypass". In this example, an person can set the loggedIn cookie in the browser and bypass the authentication.

Fixed code example 1

1
2
3
4
5
6
7
8
9
10
11
12
   import javax.servlet.http.*;
   public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
       Map<String, String> result = new HashMap<>();
     
       if (! AuthenticateUser(request.getParameter("username"), ... )) { // user authentication
           System.out.error("Error: you need to log in first");
       }
       else {
           Cookie loggedIn = new Cookie("loggedIn", "true");
           ...
      }
  }

In this fixed example, Klocwork no longer reports a defect as no cookie is used to bypass authentication.

Related checkers

• SV.AUTH.BYPASS.MUST

External guidance

• CWE-287: Improper Authentication
• OWASP A7:2021 Identification and Authentication Failures

Security training

Application security training materials provided by Secure Code Warrior.

• Improper Authentication Training Video - Test your skills with a training example

Extension

This checker can be tuned to look for specific cookies that are used in the project to identify user logged-in status. This can be done by using the @CheckerParam option in a .jkb file. If you tune this checker to add any custom values, the defaults are no longer used. If you want to include them as well, you can re-add them to your .jkb file along with the custom values. See Tuning Java analysis for more information..