CWE-346: Origin Validation Error

Export to Word

Description

The product does not properly verify that the source of data or communication is valid.

Extended Description

N/A

ThreatScore

Threat Mapped score: 1.8

Industry: Finiancial

Threat priority: P4 - Informational (Low)

Observed Examples (CVEs)

CVE: CVE-2000-1218

DNS server can accept DNS updates from hosts that it did not query, leading to cache poisoning
CVE: CVE-2005-0877

DNS server can accept DNS updates from hosts that it did not query, leading to cache poisoning
CVE: CVE-2001-1452

DNS server caches glue records received from non-delegated name servers
CVE: CVE-2005-2188

user ID obtained from untrusted source (URL)
CVE: CVE-2003-0174

LDAP service does not verify if a particular attribute was set by the LDAP server
CVE: CVE-1999-1549

product does not sufficiently distinguish external HTML from internal, potentially dangerous HTML, allowing bypass using special strings in the page title. Overlaps special elements.
CVE: CVE-2003-0981

product records the reverse DNS name of a visitor in the logs, allowing spoofing and resultant XSS.

Related Attack Patterns (CAPEC)

Attack TTPs

T1539 — Steal Web Session Cookie (credential-access)
T1134.001 — Token Impersonation/Theft (defense-evasion, privilege-escalation)
T1528 — Steal Application Access Token (credential-access)
T1584.002 — DNS Server (resource-development)
T1550.004 — Web Session Cookie (defense-evasion, lateral-movement)
T1557.002 — ARP Cache Poisoning (credential-access, collection)
T1134 — Access Token Manipulation (defense-evasion, privilege-escalation)

Malware

APTs (Intrusion Sets)

Modes of Introduction

Phase	Note
Architecture and Design	N/A
Implementation	REALIZATION: This weakness is caused during implementation of an architectural security tactic.

Common Consequences

Impact: Gain Privileges or Assume Identity, Varies by Context — Notes: An attacker can access any functionality that is inadvertently accessible to the source.

Potential Mitigations

None listed.

Applicable Platforms

None (Not Language-Specific, Undetermined)

Demonstrative Examples

Intro: This Android application will remove a user account when it receives an intent to do so:

Body: This application does not check the origin of the intent, thus allowing any malicious application to remove a user. Always check the origin of an intent, or create an allowlist of trusted applications using the manifest.xml file.

IntentFilter filter = new IntentFilter("com.example.RemoveUser"); MyReceiver receiver = new MyReceiver(); registerReceiver(receiver, filter); public class DeleteReceiver extends BroadcastReceiver { @Override public void onReceive(Context context, Intent intent) { int userID = intent.getIntExtra("userID"); destroyUserData(userID); } }

Intro: These Android and iOS applications intercept URL loading within a WebView and perform special actions if a particular URL scheme is used, thus allowing the Javascript within the WebView to communicate with the application:

Body: A call into native code can then be initiated by passing parameters within the URL:

// Android @Override public boolean shouldOverrideUrlLoading(WebView view, String url){ if (url.substring(0,14).equalsIgnoreCase("examplescheme:")){ if(url.substring(14,25).equalsIgnoreCase("getUserInfo")){ writeDataToView(view, UserData); return false; } else{ return true; } } }

Notes

Maintenance: This entry has some significant overlap with other CWE entries and may need some clarification. See terminology notes.
Terminology: The "Origin Validation Error" term was originally used in a 1995 thesis [REF-324]. Although not formally defined, an issue is considered to be an origin validation error if either (1) "an object [accepts] input from an unauthorized subject," or (2) "the system [fails] to properly or completely authenticate a subject." A later section says that an origin validation error can occur when the system (1) "does not properly authenticate a user or process" or (2) "does not properly authenticate the shared data or libraries." The only example provided in the thesis (covered by OSVDB:57615) involves a setuid program running command-line arguments without dropping privileges. So, this definition (and its examples in the thesis) effectively cover other weaknesses such as CWE-287 (Improper Authentication), CWE-285 (Improper Authorization), and CWE-250 (Execution with Unnecessary Privileges). There appears to be little usage of this term today, except in the SecurityFocus vulnerability database, where the term is used for a variety of issues, including web-browser problems that allow violation of the Same Origin Policy and improper validation of the source of an incoming message.

← Back to CWE list