The referer field in HTTP requests can be easily modified and, as such, is not a valid means of message integrity checking.

What CVEs are caused by CWE-293?

1 recorded CVEs are attributed to CWE-293, including CVE-2023-20025.

How do you prevent CWE-293?

In order to usefully check if a given action is authorized, some means of strong authentication and method protection must be used. Use other means of authorization that cannot be simply spoofed. Possibilities include a username/password or certificate.

How is CWE-293 detected?

Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

What are the consequences of CWE-293?

Exploiting CWE-293 can lead to: Gain Privileges or Assume Identity.

Is CWE-293 actively exploited?

1 recorded CVEs are caused by CWE-293; none are currently in CISA's KEV catalog of actively exploited flaws.

CWE-293: Using Referer Field for Authentication (referrer)

Background

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

The following code samples check a packet's referer in order to decide whether or not an inbound request is from a trusted host.

Vulnerable example

cpp

String trustedReferer = "http://www.example.com/"

Vulnerable example

java

boolean processConnectionRequest(HttpServletRequest request){

These examples check if a request is from a trusted referer before responding to a request, but the code only verifies the referer name as stored in the request packet. An attacker can spoof the referer, thus impersonating a trusted client.

Background

CWE-293: Using Referer Field for Authentication

Overview

Background

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Terminology & mappings

Alternate terms

Mapped taxonomies

Frequently asked questions

What is CWE-293?

What CVEs are caused by CWE-293?

How do you prevent CWE-293?

How is CWE-293 detected?

What are the consequences of CWE-293?

Is CWE-293 actively exploited?

References

Stay ahead of CWE-293

Background

Overview

Background

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Related weaknesses

Parent

Terminology & mappings

Alternate terms

Mapped taxonomies

Frequently asked questions

What is CWE-293?

What CVEs are caused by CWE-293?

How do you prevent CWE-293?

How is CWE-293 detected?

What are the consequences of CWE-293?

Is CWE-293 actively exploited?

References

Stay ahead of CWE-293