Nonces should be used for the present occasion and only once.
Time of Introduction
Architecture and Design
Applicable Platforms
Languages
All
Common Consequences
Scope
Effect
Access Control
Technical Impact: Bypass protection
mechanism; Gain privileges / assume
identity
Potentially a replay attack, in which an attacker could send the same
data twice, could be crafted if nonces are allowed to be reused. This
could allow a user to send a message which masquerades as a valid
message from a valid user.
Likelihood of Exploit
High
Demonstrative Examples
Example 1
This code takes a password, concatenates it with a nonce, then
encrypts it before sending over a network:
Because the nonce used is always the same, an attacker can impersonate
a trusted party by intercepting and resending the encrypted password.
This attack avoids the need to learn the unencrypted password.
Example 2
This code sends a command to a remote server, using an encrypted
password and nonce to prove the command is from a trusted
party:
(Bad Code)
Example
Language: C++
String command = new String("some command to execute");
More information is available — Please select a different filter.
Page Last Updated:
May 05, 2017
Use of the Common Weakness Enumeration and the associated references from this website are subject to the
Terms of Use. For more information, please email
[email protected].