Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.11)  

CWE-346: Origin Validation Error

Weakness ID: 346
Abstraction: Base
Status: Draft
Presentation Filter:
+ Description

Description Summary

The software does not properly verify that the source of data or communication is valid.
+ Terminology Notes

The "Origin Validation Error" term was used by Taimur Aslam in his August 1995 thesis. Although not formally defined, an issue is considered to be an origin validation error if either (1) "an object [accepts] input from an unauthorized subject," or (2) "the system [fails] to properly or completely authenticate a subject." A later section says that an origin validation error can occur when the system (1) "does not properly authenticate a user or process" or (2) "does not properly authenticate the shared data or libraries." The only example provided in the thesis (covered by OSVDB:57615) involves a setuid program running command-line arguments without dropping privileges. So, this definition (and its examples in the thesis) effectively cover other weaknesses such as CWE-287 (Improper Authentication), CWE-285 (Improper Authorization), and CWE-250 (Execution with Unnecessary Privileges). There appears to be little usage of this term today, except in the SecurityFocus vulnerability database, where the term is used for a variety of issues, including web-browser problems that allow violation of the Same Origin Policy and improper validation of the source of an incoming message.

+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms



+ Common Consequences
Access Control

Technical Impact: Gain privileges / assume identity; Varies by context

An attacker can access any functionality that is inadvertently accessible to the source.

+ Demonstrative Examples

Example 1

This Android application will remove a user account when it receives an intent to do so:

(Bad Code)
Example Language: Java 
IntentFilter filter = new IntentFilter("com.example.RemoveUser");
MyReceiver receiver = new MyReceiver();
registerReceiver(receiver, filter);

public class DeleteReceiver extends BroadcastReceiver {
public void onReceive(Context context, Intent intent) {
int userID = intent.getIntExtra("userID");

This application does not check the origin of the intent, thus allowing any malicious application to remove a user. Always check the origin of an intent, or create a whitelist of trusted applications using the manifest.xml file.

Example 2

These Android and iOS applications intercept URL loading within a WebView and perform special actions if a particular URL scheme is used, thus allowing the Javascript within the WebView to communicate with the application:

(Bad Code)
Example Language: Java 
// Android

public boolean shouldOverrideUrlLoading(WebView view, String url){
if (url.substring(0,14).equalsIgnoreCase("examplescheme:")){
writeDataToView(view, UserData);
return false;
return true;
(Bad Code)
Example Language: Objective-C 
// iOS

-(BOOL) webView:(UIWebView *)exWebView shouldStartLoadWithRequest:(NSURLRequest *)exRequest navigationType:(UIWebViewNavigationType)exNavigationType
NSURL *URL = [exRequest URL];
if ([[URL scheme] isEqualToString:@"exampleScheme"])
NSString *functionString = [URL resourceSpecifier];
if ([functionString hasPrefix:@"specialFunction"])
// Make data available back in webview.
UIWebView *webView = [self writeDataToView:[URL query]];
return NO;
return YES;

A call into native code can then be initiated by passing parameters within the URL:

Example Language: Javascript 
window.location = examplescheme://method?parameter=value

Because the application does not check the source, a malicious website loaded within this WebView has the same access to the API as a trusted site.

+ Observed Examples
DNS server can accept DNS updates from hosts that it did not query, leading to cache poisoning
DNS server can accept DNS updates from hosts that it did not query, leading to cache poisoning
DNS server caches glue records received from non-delegated name servers
user ID obtained from untrusted source (URL)
LDAP service does not verify if a particular attribute was set by the LDAP server
product does not sufficiently distinguish external HTML from internal, potentially dangerous HTML, allowing bypass using special strings in the page title. Overlaps special elements.
product records the reverse DNS name of a visitor in the logs, allowing spoofing and resultant XSS.
+ Weakness Ordinalities
(where the weakness exists independent of other weaknesses)
(where the weakness is typically related to the presence of some other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class284Improper Access Control
Development Concepts699
Research Concepts1000
ChildOfWeakness ClassWeakness Class345Insufficient Verification of Data Authenticity
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfCategoryCategory949SFP Secondary Cluster: Faulty Endpoint Authentication
Software Fault Pattern (SFP) Clusters (primary)888
RequiredByCompound Element: CompositeCompound Element: Composite352Cross-Site Request Forgery (CSRF)
Research Concepts1000
RequiredByCompound Element: CompositeCompound Element: Composite384Session Fixation
Research Concepts1000
PeerOfWeakness BaseWeakness Base451User Interface (UI) Misrepresentation of Critical Information
Research Concepts1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVEROrigin Validation Error
+ References
Taimur Aslam. "A Taxonomy of Security Faults in the UNIX Operating System". 1995-08-01. <>.
+ Maintenance Notes

This entry has some significant overlap with other CWE entries and may need some clarification. See terminology notes.

+ Content History
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Relationship_Notes, Taxonomy_Mappings, Weakness_Ordinalities
2009-05-27CWE Content TeamMITREInternal
updated Related_Attack_Patterns
2010-12-13CWE Content TeamMITREInternal
updated Related_Attack_Patterns
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2011-06-27CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated Related_Attack_Patterns, Relationships
2014-02-18CWE Content TeamMITREInternal
updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Maintenance_Notes, References, Relationship_Notes, Relationships, Terminology_Notes
2014-06-23CWE Content TeamMITREInternal
updated Related_Attack_Patterns
2014-07-30CWE Content TeamMITREInternal
updated Relationships

More information is available — Please select a different filter.
Page Last Updated: May 05, 2017