BaseDraft
CWE-654Reliance on a Single Factor in a Security Decision
Category: other
Description
A protection mechanism relies exclusively, or to a large extent, on the evaluation of a single condition or the integrity of a single object or entity in order to make a decision about granting access to restricted resources or functionality.
Common consequences· 2
- Access Control — Gain Privileges or Assume IdentityIf the single factor is compromised (e.g. by theft or spoofing), then the integrity of the entire security mechanism can be violated with respect to the user that is identified by that factor.
- Non-Repudiation — Hide ActivitiesIt can become difficult or impossible for the product to be able to distinguish between legitimate activities by the entity who provided the factor, versus illegitimate activities by an attacker.
Potential mitigations· 2
- [Architecture and Design]Use multiple simultaneous checks before granting access to critical operations or granting critical privileges. A weaker but helpful mitigation is to use several successive checks (multiple layers of security).
- [Architecture and Design]Use redundant access rules on different choke points (e.g., firewalls).
Related CAPEC attack patterns· 10
References
Exploits (incoming)10
| Type | Target | Confidence | Tier |
|---|---|---|---|
| AttackPattern | HTTP Verb Tamperingcapec-274 | 100% | live |
| AttackPattern | Try Common or Default Usernames and Passwordscapec-70 | 100% | live |
| AttackPattern | Use of Known Operating System Credentialscapec-653 | 100% | live |
| AttackPattern | Dictionary-based Password Attackcapec-16 | 100% | live |
| AttackPattern | Use of Known Domain Credentialscapec-560 | 100% | live |
| AttackPattern | Password Brute Forcingcapec-49 | 100% | live |
| AttackPattern | Password Sprayingcapec-565 | 100% | live |
| AttackPattern | Rainbow Table Password Crackingcapec-55 | 100% | live |
| AttackPattern | Use of Known Kerberos Credentialscapec-652 | 100% | live |
| AttackPattern | Credential Stuffingcapec-600 | 100% | live |
Related by meaning· 6
Nearest entities by semantic similarity across the cs-graph corpus.