Using Referer Field for Authentication
Weakness ID: 293 (Weakness Variant)Status: Draft
+ Description

Description Summary

The referer field in HTTP requests can be easily modified and, as such, is not a valid means of message integrity checking.
+ Alternate Terms
referrer:

While the proper spelling might be regarded as "referrer," the HTTP RFCs and their implementations use "referer," so this is regarded as the correct spelling.

+ Time of Introduction
  • Architecture and Design
+ Applicable Platforms

Languages

All

+ Common Consequences
ScopeEffect
Authorization

Actions, which may not be authorized otherwise, can be carried out as if they were validated by the server referred to.

Accountability

Actions may be taken in the name of the server referred to.

+ Likelihood of Exploit

High

+ Demonstrative Examples

Example 1

(Bad Code)
Example Languages: C and C++ 
sock= socket(AF_INET, SOCK_STREAM, 0);
...
bind(sock, (struct sockaddr *)&server, len)
...
while (1) newsock=accept(sock, (struct sockaddr *)&from, &fromlen);
pid=fork();
if (pid==0) {
n = read(newsock,buffer,BUFSIZE);
...
if (buffer+...==Referer: http://www.foo.org/dsaf.html) //do stuff

(Bad Code)
Example Language: Java 
public class httpd extends Thread {
Socket cli;
public httpd(Socket serv) {
cli=serv;
start();
}
public static void main(String[] a) {
...
ServerSocket
serv=new ServerSocket(8181);
for(;;) {
new h(serv.accept());
...
public void run() {
try {
BufferedReader reader = new BufferedReader(new InputStreamReader(cli.getInputStream())); //if i contains a the proper referer.
DataOutputStream o= new DataOutputStream(c.getOutputStream());
...

+ Potential Mitigations

Phase: Architecture and Design

In order to usefully check if a given action is authorized, some means of strong authentication and method protection must be used. Use other means of authorization that cannot be simply spoofed. Possibilities include a username/password or certificate.

+ Background Details

The referer field in HTML requests can be simply modified by malicious users, rendering it useless as a means of checking the validity of the request in question.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness BaseWeakness Base290Authentication Bypass by Spoofing
Development Concepts (primary)699
Research Concepts (primary)1000
PeerOfCompound Element: CompositeCompound Element: Composite291Trusting Self-reported IP Address
Research Concepts1000
PeerOfWeakness VariantWeakness Variant292Trusting Self-reported DNS Name
Research Concepts1000
+ Relevant Properties
  • Mutability
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
CLASPUsing referrer field for authentication
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
CLASPExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-09-08CWE Content TeamMITREInternal
updated Alternate Terms, Background Details, Common Consequences, Relationships, Relevant Properties, Taxonomy Mappings