CWE - CWE-650: Trusting HTTP Permission Methods on the Server Side (Draft 9)

Home > CWE List > CWE-650 Individual Dictionary Definition (Draft 9)

CWE List
Full Dictionary View
Classification Tree
Reports

About
Sources
Process
Documents

Community
Related Activities
Discussion List
Research

News
Calendar
Free Newsletter

Compatibility
Program
Requirements
Declarations
Make a Declaration

Contact Us
Search the Site

Section Contents
CWE List
Full Dictionary View
Classification Tree
Reports
Other Items of Interest
Sources

Key
- Weakness
- Base
- Variant
- Class
- Chain
- Composite
- Category
- View
- Deprecated

CWE-650 Individual Dictionary Definition (Draft 9)

Weakness ID

Status: Incomplete

650 (Weakness Variant)

Description

Summary

If functionality on the server side trusts that the HTTP GET method will not allow for a resource representation residing at the URI being accessed to be modified (as per specification of the HTTP GET) and does not provide additional controls to impede such modification, the application will be vulnerable to resource modification and deletion attacks. An application may disallow the HTTP requests to perform DELETE, PUT and POST operations on the resource representation believing that that will be enough to prevent unintended resource alterations. However, there is nothing in the HTTP protocol itself that prevents the HTTP GET method from performing more than just query of the data. For instance, it is a common practice with REST based Web Services to have HTTP GET requests modifying resources on the server side. Whenever that happens however, the access control needs to be properly enforced in the application and no assumptions should be made that only HTTP DELETE, PUT, and POST methods have the power to alter the representation of the resource being accessed in the request.

Likelihood of Exploit

High

Common Consequences

Escalation of Privilege

Modification of Resources

Information Disclosure

Enabling Factors for Exploitation

The application allows HTTP access to resources.

The application is not properly configured to enforced access controls around the resources accessible via HTTP.

Potential Mitigations

Configure ACLs on the server side to ensure that proper level of access control is defined for each accessible resource representation.

Do not make an assumption that only HTTP PUT, DELETE or POST methods can modify resources, since HTTP GET method may do the same.

Observed Examples

Reference

Description

The HTTP GET method is designed to retrieve resources and not to alter the state of the application or resources on the server side. However, developers can easily code programs that accept a HTTP GET request that do in fact create, update or delete data on the server. Both Flickr (http://www.flickr.com/services/api/flickr.photosets.delete.html) and del.icio.us (http://del.icio.us/api/posts/delete) have implemented delete operations using standard HTTP GET requests. These HTTP GET methods do delete data on the server side, despite being called from GET, which is not supposed to alter state.

Relationships

Nature	Type	ID	Name
ChildOf	Weakness Class	227	Failure to Fulfill API Contract (aka 'API Abuse')

Applicable Platforms

All

Time of Introduction

Architecture and Design

Implementation

System Configuration

Page Last Updated: April 22, 2008


	CWE is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. This Web site is hosted by The MITRE Corporation. Copyright 2008, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us