[alipitch]

What would the CWEs be for the five classes of attacks?

- Classic-Federated Merge (CFM)

- Unexpired Session (US)

- Trojan Identifier (TID)

- Unexpired Email Change (UE)

- Non-verifying IdP (NV)

[alipitch]

For all five classes of attacks, the paper states that the root cause & mitigation is "Strict Identifier Verification".

  6.2 Root Cause & Mitigation
  6.2.1 Strict Identifier Verification
  The root cause of all of the attacks identified in the preceding sections is failure to verify ownership of the claimed identifier.

[alipitch]

"Strict Identifier Verification" look kind of like CWE-304.

CWE-304: Missing Critical Step in Authentication <https://cwe.mitre.org/data/definitions/304.html>

Looking at the CWE-304 wording, this does not look like the right CWE, but OWASP ASVP 2.2.2 points to this CWE.

OWASP ASVP 2.2.2 <https://github.com/OWASP/ASVS/blob/v4.0.3_release/4.0/en/0x1...>

  2.2.2
  Verify that the use of weak authenticators (such as SMS and email) is limited to secondary verification and transaction approval and not as a replacement for more secure authentication methods. Verify that stronger methods are offered before weak methods, users are aware of the risks, or that proper measures are in place to limit the risks of account compromise.
  CWE-304

[alipitch]

- Unexpired Email Change (UE)

[alipitch]

possibly CWE-306?

CWE-306: Missing Authentication for Critical Function <https://cwe.mitre.org/data/definitions/306.html>

Looking at the CWE-306 wording, this does not look like the right CWE, but OWASP ASVP 3.7.1 points to this CWE.

OWASP ASVP 3.7.1 <https://github.com/OWASP/ASVS/blob/v4.0.3_release/4.0/en/0x1...>

  3.7.1
  Verify the application ensures a full, valid login session or requires re-authentication or secondary verification before allowing any sensitive transactions or account modifications.
  CWE-306