CWE
CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.1)  

CWE-293: Using Referer Field for Authentication

 
Using Referer Field for Authentication
Weakness ID: 293 (Weakness Variant)Status: Draft
+ Description

Description Summary

The referer field in HTTP requests can be easily modified and, as such, is not a valid means of message integrity checking.
+ Alternate Terms
referrer:

While the proper spelling might be regarded as "referrer," the HTTP RFCs and their implementations use "referer," so this is regarded as the correct spelling.

+ Time of Introduction
  • Architecture and Design
+ Applicable Platforms

Languages

All

+ Common Consequences
ScopeEffect
Access Control

Technical Impact: Gain privileges / assume identity

Actions, which may not be authorized otherwise, can be carried out as if they were validated by the server referred to.

Access Control

Technical Impact: Gain privileges / assume identity

Actions may be taken in the name of the server referred to.

+ Likelihood of Exploit

High

+ Demonstrative Examples

Example 1

(Bad Code)
Example Languages: C and C++ 
sock= socket(AF_INET, SOCK_STREAM, 0);
...
bind(sock, (struct sockaddr *)&server, len)
...
while (1) newsock=accept(sock, (struct sockaddr *)&from, &fromlen);
pid=fork();
if (pid==0) {
n = read(newsock,buffer,BUFSIZE);
...
if (buffer+...==Referer: http://www.foo.org/dsaf.html) //do stuff

(Bad Code)
Example Language: Java 
public class httpd extends Thread {
Socket cli;
public httpd(Socket serv) {
cli=serv;
start();
}
public static void main(String[] a) {
...
ServerSocket
serv=new ServerSocket(8181);
for(;;) {
new h(serv.accept());
...
public void run() {
try {
BufferedReader reader = new BufferedReader(new InputStreamReader(cli.getInputStream())); //if i contains a the proper referer.
DataOutputStream o= new DataOutputStream(c.getOutputStream());
...

+ Potential Mitigations

Phase: Architecture and Design

In order to usefully check if a given action is authorized, some means of strong authentication and method protection must be used. Use other means of authorization that cannot be simply spoofed. Possibilities include a username/password or certificate.

+ Background Details

The referer field in HTML requests can be simply modified by malicious users, rendering it useless as a means of checking the validity of the request in question.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness BaseWeakness Base290Authentication Bypass by Spoofing
Development Concepts (primary)699
Research Concepts (primary)1000
PeerOfCompound Element: CompositeCompound Element: Composite291Trusting Self-reported IP Address
Research Concepts1000
PeerOfWeakness VariantWeakness Variant292Trusting Self-reported DNS Name
Research Concepts1000
+ Relevant Properties
  • Mutability
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
CLASPUsing referrer field for authentication
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
CLASPExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-09-08CWE Content TeamMITREInternal
updated Alternate_Terms, Background_Details, Common_Consequences, Relationships, Relevant_Properties, Taxonomy_Mappings
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
Back to top
Page Last Updated: September 12, 2011
 

CWE is a Software Assurance strategic initiative co-sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.

This Web site is sponsored and managed by The MITRE Corporation to enable stakeholder collaboration. Copyright © 2006-2012, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.

Contact cwe@mitre.org for more information.
Privacy policy
Terms of use
Contact us