CAPEC-114: Authentication Abuse

An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker.

Medium

Typical severity

Per MITRE

Not rated

Likelihood of attack

Per MITRE

Related weaknesses

CWEs this targets

Overview

This attack may exploit assumptions made by the target's authentication procedures, such as assumptions regarding trust relationships or assumptions regarding the generation of secret values. This attack differs from Authentication Bypass attacks in that Authentication Abuse allows the attacker to be certified as a valid user through illegitimate means, while Authentication Bypass allows the user to access protected material without ever being certified as an authenticated user. This attack does not rely on prior sessions established by successfully authenticating users, as relied upon for the "Exploitation of Session Variables, Resource IDs and other Trusted Credentials" attack patterns.

CAPEC-114: Authentication Abuse

Overview

What the attacker needs

Prerequisites

Resources required

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CAPEC-114?

What weaknesses does CAPEC-114 target?

How severe is CAPEC-114?

References

Defend against CAPEC-114

Overview

What the attacker needs

Prerequisites

Resources required

Related weaknesses

Related attack patterns

Child

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CAPEC-114?

What weaknesses does CAPEC-114 target?

How severe is CAPEC-114?

References

Defend against CAPEC-114