BaseIncomplete

CWE-1270Generation of Incorrect Security Tokens

Category: auth

Description

The product implements a Security Token mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Tokens generated in the system are incorrect.

Common consequences· 1

  • Confidentiality / Integrity / Availability / Access Control — Modify Files or Directories, Execute Unauthorized Code or Commands, Bypass Protection Mechanism, Gain Privileges or Assume Identity, Read Memory, Modify Memory, DoS: Crash, Exit, or Restart
    Incorrectly generated Security Tokens could result in the same token used for multiple agents or multiple tokens being used for the same agent. This condition could result in a Denial-of-Service (DoS) or the execution of an action that in turn could result in privilege escalation or unintended access.

Potential mitigations· 1

  • [Architecture and Design, Implementation]

Related CAPEC attack patterns· 3

CAPEC-121CAPEC-633CAPEC-681

References

  1. https://cwe.mitre.org/data/definitions/1270.html

Exploits (incoming)3

TypeTargetConfidenceTier
AttackPatternExploit Non-Production Interfacescapec-121100%live
AttackPatternExploitation of Improperly Controlled Hardware Security Identifierscapec-681100%live
AttackPatternToken Impersonationcapec-633100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Incorrect Authorization
CWE
Improper Authorization
CWE
Insufficient Verification of Data Authenticity
CWE
Incorrect Decoding of Security Identifiers
CWE
Incorrect Conversion of Security Identifiers
CWE
Improper Verification of Cryptographic Signature
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.