CWE-293: Using Referer Field for Authentication

Description

The referer field in HTTP requests can be easily modified and, as such, is not a valid means of message integrity checking.

Extended Description

N/A

ThreatScore

Threat Mapped score: 0.0

Industry: Finiancial

Threat priority: Unclassified

Observed Examples (CVEs)

No observed examples available.

Related Attack Patterns (CAPEC)

N/A

Attack TTPs

N/A

Modes of Introduction

Phase	Note
Architecture and Design	COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic.

Common Consequences

Impact: Gain Privileges or Assume Identity — Notes: Actions, which may not be authorized otherwise, can be carried out as if they were validated by the server referred to.

Potential Mitigations

Architecture and Design: In order to usefully check if a given action is authorized, some means of strong authentication and method protection must be used. Use other means of authorization that cannot be simply spoofed. Possibilities include a username/password or certificate. (N/A)

Applicable Platforms

None (Not Language-Specific, Undetermined)

Demonstrative Examples

Intro: The following code samples check a packet's referer in order to decide whether or not an inbound request is from a trusted host.

Body: These examples check if a request is from a trusted referer before responding to a request, but the code only verifies the referer name as stored in the request packet. An attacker can spoof the referer, thus impersonating a trusted client.

String trustedReferer = "http://www.example.com/" while(true){ n = read(newsock, buffer, BUFSIZE); requestPacket = processPacket(buffer, n); if (requestPacket.referer == trustedReferer){ openNewSecureSession(requestPacket); } }

Notes

No notes available.

← Back to CWE list