Insufficient Verification of Data Authenticity
Weakness ID: 345 (Weakness Class)Status: Draft
+ Description

Description Summary

The software does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms

Languages

All

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory254Security Features
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class693Protection Mechanism Failure
Research Concepts (primary)1000
ChildOfCategoryCategory724OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management
Weaknesses in OWASP Top Ten (2004) (primary)711
ParentOfWeakness VariantWeakness Variant247Reliance on DNS Lookups in a Security Decision
Research Concepts1000
ParentOfWeakness BaseWeakness Base297Improper Validation of Host-specific Certificate Data
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base322Key Exchange without Entity Authentication
Research Concepts1000
ParentOfWeakness BaseWeakness Base346Origin Validation Error
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base347Improper Verification of Cryptographic Signature
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base348Use of Less Trusted Source
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base349Acceptance of Extraneous Untrusted Data With Trusted Data
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base350Improperly Trusted Reverse DNS
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base351Insufficient Type Distinction
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfCompound Element: CompositeCompound Element: Composite352Cross-Site Request Forgery (CSRF)
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base353Failure to Add Integrity Check Value
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base354Improper Validation of Integrity Check Value
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base360Trust of System Event Data
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant616Incomplete Identification of Uploaded File Variables (PHP)
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant646Reliance on File Name or Extension of Externally-Supplied File
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base649Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
Development Concepts (primary)699
Research Concepts (primary)1000
CanAlsoBeWeakness BaseWeakness Base283Unverified Ownership
Research Concepts1000
CanAlsoBeWeakness BaseWeakness Base358Improperly Implemented Security Check for Standard
Research Concepts1000
CanAlsoBeWeakness BaseWeakness Base708Incorrect Ownership Assignment
Research Concepts1000
+ Relationship Notes

"origin validation" could fall under this.

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERInsufficient Verification of Data
OWASP Top Ten 2004A3CWE More SpecificBroken Authentication and Session Management
WASC12Content Spoofing
+ Related Attack Patterns
CAPEC-IDAttack Pattern Name
(CAPEC Version: 1.4)
4Using Alternative IP Address Encodings
111JSON Hijacking (aka JavaScript Hijacking)
209Cross-Site Scripting Using MIME Type Mismatch
+ Maintenance Notes

The specific ways in which the origin is not properly identified should be laid out as separate weaknesses. In some sense, this is more like a category.

+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Maintenance Notes, Relationships, Relationship Notes, Taxonomy Mappings
2009-05-27CWE Content TeamMITREInternal
updated Related Attack Patterns
2009-07-27CWE Content TeamMITREInternal
updated Related Attack Patterns
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Insufficient Verification of Data