CWE-602: Client-Side Enforcement of Server-Side Security

ClassDraftExploit Likelihood: Medium

The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.

View on MITRE
Back to CWE Lookup

Extended Description

When the server relies on protection mechanisms placed on the client side, an attacker can modify the client-side behavior to bypass the protection mechanisms, resulting in potentially unexpected interactions between the client and server. The consequences will vary, depending on what the mechanisms are trying to protect.

Technical Details

Structure
Simple

Applicable To

Languages
Not Language-Specific
Platforms

Frequently Asked Questions

What is CWE-602: Client-Side Enforcement of Server-Side Security?+

CWE-602: Client-Side Enforcement of Server-Side Security is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server. When the server relies on protection mechanisms placed on the client side, an attacker can modify the client-side behavior to bypass the protection mechanisms, resulting in potentially unexpected interactions between the client and server. The consequences will vary, depending on what the mechanisms are trying to protect.

What are the security consequences of Client-Side Enforcement of Server-Side Security?+

If exploited, CWE-602 (Client-Side Enforcement of Server-Side Security) it can compromise Access Control and Availability, leading to outcomes such as Bypass Protection Mechanism, DoS: Crash, Exit, or Restart and Gain Privileges or Assume Identity.

How do you prevent or mitigate Client-Side Enforcement of Server-Side Security?+

Recommended mitigations for CWE-602 include: For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. Even though client-side checks provide minimal benefits with respect to server-side security, they are still useful. First, they can support intrusion detection. If the server receives input that should have been rejected by the client, then it may be an indication of an attack. Second, client-side error-checking can provide helpful feedback to the user about the expectations for valid input. Third, there may be a reduction in server-side processing time for accidental input errors, although this is typically a small savings. If some degree of trust is required between the two entities, then use integrity checking and strong authentication to ensure that the inputs are coming from a trusted source. Design the product so that this trust is managed in a centralized fashion, especially if there are complex or numerous communication channels, in order to reduce the risks that the implementer will mistakenly omit a check in a single code path. Use dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.

Which programming languages are affected by Client-Side Enforcement of Server-Side Security?+

CWE-602 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What are real-world examples of Client-Side Enforcement of Server-Side Security?+

MITRE documents real CVEs mapped to CWE-602, including CVE-2022-33139, CVE-2006-6994, CVE-2007-0163, CVE-2007-0164 and CVE-2007-0100. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-602 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More