CWE-293 使用Refer域进行认证

Using Referer Field for Authentication

结构: Simple

Abstraction: Variant

状态: Draft

被利用可能性: High

基本描述

The referer field in HTTP requests can be easily modified and, as such, is not a valid means of message integrity checking.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 290 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 290 cwe_View_ID: 699 cwe_Ordinal: Primary

适用平台

Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围 影响 注释
Access Control Gain Privileges or Assume Identity Actions, which may not be authorized otherwise, can be carried out as if they were validated by the server referred to.

可能的缓解方案

Architecture and Design

策略:

In order to usefully check if a given action is authorized, some means of strong authentication and method protection must be used. Use other means of authorization that cannot be simply spoofed. Possibilities include a username/password or certificate.

示例代码

The following code samples check a packet's referer in order to decide whether or not an inbound request is from a trusted host.

bad C++

String trustedReferer = "http://www.example.com/"
while(true){
n = read(newsock, buffer, BUFSIZE);
requestPacket = processPacket(buffer, n);
if (requestPacket.referer == trustedReferer){
openNewSecureSession(requestPacket);
}
}

bad Java

boolean processConnectionRequest(HttpServletRequest request){
String referer = request.getHeader("referer")
String trustedReferer = "http://www.example.com/"
if(referer.equals(trustedReferer)){
openPrivilegedConnection(request);
return true;
}
else{
sendPrivilegeError(request);
return false;
}
}

These examples check if a request is from a trusted referer before responding to a request, but the code only verifies the referer name as stored in the request packet. An attacker can spoof the referer, thus impersonating a trusted client.

分类映射

映射的分类名 ImNode ID Fit Mapped Node Name
CLASP Using referrer field for authentication
Software Fault Patterns SFP29 Faulty endpoint authentication

引用