CWE-352 – Cross-Site Request Forgery (CSRF)

Read Time:3 Minute, 7 Second

Description

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

When a web server is designed to receive a request from a client without any mechanism for verifying that it was intentionally sent, then it might be possible for an attacker to trick a client into making an unintentional request to the web server which will be treated as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-345
CWE-345
CWE-346
CWE-441
CWE-642
CWE-613

 

Consequences

Confidentiality, Integrity, Availability, Non-Repudiation, Access Control: Gain Privileges or Assume Identity, Bypass Protection Mechanism, Read Application Data, Modify Application Data, DoS: Crash, Exit, or Restart

The consequences will vary depending on the nature of the functionality that is vulnerable to CSRF. An attacker could effectively perform any operations as the victim. If the victim is an administrator or privileged user, the consequences may include obtaining complete control over the web application – deleting or stealing data, uninstalling the product, or using it to launch other attacks against all of the product’s users. Because the attacker has the identity of the victim, the scope of CSRF is limited only by the victim’s privileges.

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Phase: Implementation

Description: 

Ensure that the application is free of cross-site scripting issues (CWE-79), because most CSRF defenses can be bypassed using attacker-controlled script.

Phase: Architecture and Design

Description: 

Generate a unique nonce for each form, place the nonce into the form, and verify the nonce upon receipt of the form. Be sure that the nonce is not predictable (CWE-330). [REF-332]

Note that this can be bypassed using XSS (CWE-79).

Phase: Architecture and Design

Description: 

Identify especially dangerous operations. When the user performs a dangerous operation, send a separate confirmation request to ensure that the user intended to perform that operation.

Note that this can be bypassed using XSS (CWE-79).

Phase: Architecture and Design

Description: 

Note that this can probably be bypassed using XSS (CWE-79), or when using web technologies that enable the attacker to read raw headers from HTTP requests.

Phase: Architecture and Design

Description: 

Do not use the GET method for any request that triggers a state change.

Phase: Implementation

Description: 

Check the HTTP Referer header to see if the request originated from an expected page. This could break legitimate functionality, because users or proxies may have disabled sending the Referer for privacy reasons.

Note that this can be bypassed using XSS (CWE-79). An attacker could use XSS to generate a spoofed Referer, or to generate a malicious request from a page whose Referer would be allowed.

CVE References

  • CVE-2004-1967
    • Arbitrary code execution by specifying the code in a crafted img tag or URL
  • CVE-2004-1842
    • Gain administrative privileges via a URL in an img tag
  • CVE-2005-1947
    • Delete a victim’s information via a URL or an img tag
  • CVE-2005-2059
    • Change another user’s settings via a URL or an img tag
  • CVE-2005-1674
    • Perform actions as administrator via a URL or an img tag
  • CVE-2009-3022
    • CMS allows modification of configuration via CSRF attack against the administrator
  • CVE-2009-3759
    • web interface allows password changes or stopping a virtual machine via CSRF

CWE-351 – Insufficient Type Distinction

Read Time:26 Second

Description

The software does not properly distinguish between different types of elements in a way that leads to insecure behavior.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-345
CWE-436

 

Consequences

Other: Other

 

Potential Mitigations

CVE References

  • CVE-2005-2260
    • Browser user interface does not distinguish between user-initiated and synthetic events.
  • CVE-2005-2801
    • Product does not compare all required data in two separate elements, causing it to think they are the same, leading to loss of ACLs. Similar to Same Name error.

CWE-350 – Reliance on Reverse DNS Resolution for a Security-Critical Action

Read Time:1 Minute, 8 Second

Description

The software performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-290
CWE-923
CWE-807
CWE-923

 

Consequences

Access Control: Gain Privileges or Assume Identity, Bypass Protection Mechanism

Malicious users can fake authentication information by providing false DNS information.

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Use other means of identity verification that cannot be simply spoofed. Possibilities include a username/password or certificate.

Phase: Implementation

Description: 

Perform proper forward and reverse DNS lookups to detect DNS spoofing.

CVE References

  • CVE-2001-1488
    • Does not do double-reverse lookup to prevent DNS spoofing.
  • CVE-2001-1500
    • Does not verify reverse-resolved hostnames in DNS.
  • CVE-2000-1221
    • Authentication bypass using spoofed reverse-resolved DNS hostnames.
  • CVE-2002-0804
    • Authentication bypass using spoofed reverse-resolved DNS hostnames.
  • CVE-2001-1155
    • Filter does not properly check the result of a reverse DNS lookup, which could allow remote attackers to bypass intended access restrictions via DNS spoofing.
  • CVE-2004-0892
    • Reverse DNS lookup used to spoof trusted content in intermediary.
  • CVE-2003-0981
    • Product records the reverse DNS name of a visitor in the logs, allowing spoofing and resultant XSS.

CWE-35 – Path Traversal: ‘…/…//’

Read Time:48 Second

Description

The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize ‘…/…//’ (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-23

 

Consequences

Confidentiality, Integrity: Read Files or Directories, Modify Files or Directories

 

Potential Mitigations

Phase: Implementation

Effectiveness: High

Description: 

Phase: Implementation

Description: 

Inputs should be decoded and canonicalized to the application’s current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CVE References

  • CVE-2005-2169
    • chain: “…/…//” bypasses protection mechanism using regexp’s that remove “../” resulting in collapse into an unsafe value “../” (CWE-182) and resultant path traversal.
  • CVE-2005-0202
    • “…/….///” bypasses regexp’s that remove “./” and “../”

CWE-349 – Acceptance of Extraneous Untrusted Data With Trusted Data

Read Time:33 Second

Description

The software, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-345

 

Consequences

Access Control, Integrity: Bypass Protection Mechanism, Modify Application Data

An attacker could package untrusted data with trusted data to bypass protection mechanisms to gain access to and possibly modify sensitive data.

 

Potential Mitigations

CVE References

  • CVE-2002-0018
    • Does not verify that trusted entity is authoritative for all entities in its response.
  • CVE-2006-5462
    • use of extra data in a signature allows certificate signature forging

CWE-348 – Use of Less Trusted Source

Read Time:54 Second

Description

The software has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-345

 

Consequences

Access Control: Bypass Protection Mechanism, Gain Privileges or Assume Identity

An attacker could utilize the untrusted data source to bypass protection mechanisms and gain access to sensitive data.

 

Potential Mitigations

CVE References

  • CVE-2001-0860
    • Product uses IP address provided by a client, instead of obtaining it from the packet headers, allowing easier spoofing.
  • CVE-2004-1950
    • Web product uses the IP address in the X-Forwarded-For HTTP header instead of a server variable that uses the connecting IP address, allowing filter bypass.
  • CVE-2001-0908
    • Product logs IP address specified by the client instead of obtaining it from the packet headers, allowing information hiding.
  • CVE-2006-1126
    • PHP application uses IP address from X-Forwarded-For HTTP header, instead of REMOTE_ADDR.

CWE-347 – Improper Verification of Cryptographic Signature

Read Time:31 Second

Description

The software does not verify, or incorrectly verifies, the cryptographic signature for data.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-345
CWE-345

 

Consequences

Access Control, Integrity, Confidentiality: Gain Privileges or Assume Identity, Modify Application Data, Execute Unauthorized Code or Commands

An attacker could gain access to sensitive data and possibly execute unauthorized code.

 

Potential Mitigations

CVE References

  • CVE-2002-1796
    • Does not properly verify signatures for “trusted” entities.
  • CVE-2002-1706
    • Accepts a configuration file without a Message Integrity Check (MIC) signature.

CWE-346 – Origin Validation Error

Read Time:57 Second

Description

The software does not properly verify that the source of data or communication is valid.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-345
CWE-345
CWE-284

 

Consequences

Access Control, Other: Gain Privileges or Assume Identity, Varies by Context

An attacker can access any functionality that is inadvertently accessible to the source.

 

Potential Mitigations

CVE References

  • CVE-2000-1218
    • DNS server can accept DNS updates from hosts that it did not query, leading to cache poisoning
  • CVE-2005-0877
    • DNS server can accept DNS updates from hosts that it did not query, leading to cache poisoning
  • CVE-2001-1452
    • DNS server caches glue records received from non-delegated name servers
  • CVE-2003-0174
    • LDAP service does not verify if a particular attribute was set by the LDAP server
  • CVE-1999-1549
    • product does not sufficiently distinguish external HTML from internal, potentially dangerous HTML, allowing bypass using special strings in the page title. Overlaps special elements.
  • CVE-2003-0981
    • product records the reverse DNS name of a visitor in the logs, allowing spoofing and resultant XSS.

CWE-344 – Use of Invariant Value in Dynamically Changing Context

Read Time:22 Second

Description

The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-330

 

Consequences

Other: Varies by Context

 

Potential Mitigations

CVE References

  • CVE-2002-0980
    • Component for web browser writes an error message to a known location, which can then be referenced by attackers to process HTML/script in a less restrictive context