SV.AUTH.BYPASS.MUST

Incorrect authentication

There can be use cases where the loggedIn cookie is checked to verify that the user is already logged in. If not, the code performs authentication with the user-provided username and password. If successful, it sets the loggedIn and user cookies to "remember" that the user has already logged in. The SV.AUTH.BYPASS.MUST checker verifies whether the user authentication method is sufficient and is not bypassed.

This checker reports a defect if "userName" and "password" are used in the body with either .getParameter() or .get().

Vulnerability and risk

When an actor claims to have a given identity and the software does not prove, or insufficiently proves, that the claim is correct, this weakness can lead to the exposure of resources or functionality to unintended actors. This weakness can possibly provide attackers with sensitive information or even the ability to execute arbitrary code.

Vulnerable code example 1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
  import jakarta.servlet.http.*;
   public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
       Map<String, String> result = new HashMap<>();
 
       // result contains cookie values from request
       ...
       if ("true".equals(result.get("loggedIn"))
       {
           if (! AuthenticateUser(request.getParameter("password"), ... )) { // user authentication
               System.out.error("Error: you need to log in first");
          }
          else {
              Cookie loggedIn = new Cookie("loggedIn", "true");
              ...
          }
      }
  }

Klocwork reports an SV.AUTH.BYPASS.MUST defect on line 7, indicating, "Use of cookie 'loggedIn' can lead to authentication bypass". In this example, a person can set the loggedIn cookie in the browser and bypass the authentication.

Fixed code example 1

1
2
3
4
5
6
7
8
9
10
11
12
   import javax.servlet.http.*;
   public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
       Map<String, String> result = new HashMap<>();
     
       if (! AuthenticateUser(request.getParameter("password"), ... )) { // user authentication
           System.out.error("Error: you need to log in first");
       }
       else {
           Cookie loggedIn = new Cookie("loggedIn", "true");
           ...
      }
  }

In the fixed example, Klocwork no longer reports a defect because no cookie is used that can be used to bypass authentication.

Related checkers

• SV.AUTH.BYPASS.MIGHT

External guidance

• OWASP A7:2021 Identification and Authentication Failures
• CWE-287: Improper Authentication

Security training

Application security training materials provided by Secure Code Warrior.

• Improper Authentication Training Video - Test your skills with a training example