CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.10)  
ID

CWE-293: Using Referer Field for Authentication

Weakness ID: 293
Abstraction: Variant
Status: Draft
Presentation Filter:
+ Description

Description Summary

The referer field in HTTP requests can be easily modified and, as such, is not a valid means of message integrity checking.
+ Alternate Terms
referrer:

While the proper spelling might be regarded as "referrer," the HTTP RFCs and their implementations use "referer," so this is regarded as the correct spelling.

+ Time of Introduction
  • Architecture and Design
+ Applicable Platforms

Languages

All

+ Common Consequences
ScopeEffect
Access Control

Technical Impact: Gain privileges / assume identity

Actions, which may not be authorized otherwise, can be carried out as if they were validated by the server referred to.

+ Likelihood of Exploit

High

+ Demonstrative Examples

Example 1

The following code samples check a packet's referer in order to decide whether or not an inbound request is from a trusted host.

(Bad Code)
Example Language: C++ 
String trustedReferer = "http://www.example.com/"
while(true){
n = read(newsock, buffer, BUFSIZE);
requestPacket = processPacket(buffer, n);
if (requestPacket.referer == trustedReferer){
openNewSecureSession(requestPacket);
}
}
(Bad Code)
Example Language: Java 
boolean processConnectionRequest(HttpServletRequest request){
String referer = request.getHeader("referer")
String trustedReferer = "http://www.example.com/"
if(referer.equals(trustedReferer)){
openPrivilegedConnection(request);
return true;
}
else{
sendPrivilegeError(request);
return false;
}
}

These examples check if a request is from a trusted referer before responding to a request, but the code only verifies the referer name as stored in the request packet. An attacker can spoof the referer, thus impersonating a trusted client.

+ Potential Mitigations

Phase: Architecture and Design

In order to usefully check if a given action is authorized, some means of strong authentication and method protection must be used. Use other means of authorization that cannot be simply spoofed. Possibilities include a username/password or certificate.

+ Background Details

The referer field in HTML requests can be simply modified by malicious users, rendering it useless as a means of checking the validity of the request in question.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness BaseWeakness Base290Authentication Bypass by Spoofing
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfCategoryCategory949SFP Secondary Cluster: Faulty Endpoint Authentication
Software Fault Pattern (SFP) Clusters (primary)888
+ Relevant Properties
  • Mutability
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
CLASPUsing referrer field for authentication
Software Fault PatternsSFP29Faulty endpoint authentication
+ References
[REF-7] Mark Dowd, John McDonald and Justin Schuh. "The Art of Software Security Assessment". Chapter 17, "Referer Request Header", Page 1030.. 1st Edition. Addison Wesley. 2006.
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
CLASPExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-09-08CWE Content TeamMITREInternal
updated Alternate_Terms, Background_Details, Common_Consequences, Relationships, Relevant_Properties, Taxonomy_Mappings
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated Common_Consequences, Demonstrative_Examples, References, Relationships
2012-10-30CWE Content TeamMITREInternal
updated Demonstrative_Examples
2014-07-30CWE Content TeamMITREInternal
updated Relationships, Taxonomy_Mappings

More information is available — Please select a different filter.
Page Last Updated: January 18, 2017