An attacker obtains unauthorized access to an application, service or
device either through knowledge of the inherent weaknesses of an
authentication mechanism, or by exploiting a flaw in the authentication
scheme's implementation. In such an attack an authentication mechanism is
functioning but a carefully controlled sequence of events causes the
mechanism to grant access to the attacker. This attack may exploit
assumptions made by the target's authentication procedures, such as
assumptions regarding trust relationships or assumptions regarding the
generation of secret values. This attack differs from Authentication Bypass
attacks in that Authentication Abuse allows the attacker to be certified as
a valid user through illegitimate means, while Authentication Bypass allows
the user to access protected material without ever being certified as an
authenticated user. This attack does not rely on prior sessions established
by successfully authenticating users, as relied upon for the "Exploitation
of Session Variables, Resource IDs and other Trusted Credentials" attack
patterns.
Attack Prerequisites
An authentication mechanism or subsystem implementing some form of
authentication such as passwords, digest authentication, security
certificates, etc. which is flawed in some way.
Resources Required
A client application, command-line access to a binary, or scripting language
capable of interacting with the authentication mechanism.
Description
