Origin Validation Error
Weakness ID: 346 (Weakness Base)Status: Draft
+ Description

Description Summary

The software does not properly verify that the source of data or communication is valid.
+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms

Languages

All

+ Observed Examples
ReferenceDescription
CVE-2000-1218DNS server can accept DNS updates from hosts that it did not query, leading to cache poisoning
CVE-2005-0877DNS server can accept DNS updates from hosts that it did not query, leading to cache poisoning
CVE-2001-1452DNS server caches glue records received from non-delegated name servers
CVE-2005-2188user ID obtained from untrusted source (URL)
CVE-2003-0174LDAP service does not verify if a particular attribute was set by the LDAP server
CVE-1999-1549product does not sufficiently distinguish external HTML from internal, potentially dangerous HTML, allowing bypass using special strings in the page title. Overlaps special elements.
CVE-2003-0981product records the reverse DNS name of a visitor in the logs, allowing spoofing and resultant XSS.
+ Weakness Ordinalities
OrdinalityDescription
Primary
(where the weakness exists independent of other weaknesses)
Resultant
(where the weakness is typically related to the presence of some other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class345Insufficient Verification of Data Authenticity
Development Concepts (primary)699
Research Concepts (primary)1000
RequiredByCompound Element: CompositeCompound Element: Composite352Cross-Site Request Forgery (CSRF)
Research Concepts1000
RequiredByCompound Element: CompositeCompound Element: Composite384Session Fixation
Research Concepts1000
PeerOfWeakness BaseWeakness Base451UI Misrepresentation of Critical Information
Research Concepts1000
+ Relationship Notes

This is a factor in many weaknesses, both primary and resultant. The problem could be due to design or implementation. This is a fairly general class.

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVEROrigin Validation Error
+ Related Attack Patterns
CAPEC-IDAttack Pattern Name
(CAPEC Version: 1.4)
21Exploitation of Session Variables, Resource IDs and other Trusted Credentials
89Pharming
59Session Credential Falsification through Prediction
60Reusing Session IDs (aka Session Replay)
75Manipulating Writeable Configuration Files
76Manipulating Input to File System Calls
111JSON Hijacking (aka JavaScript Hijacking)
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Relationship Notes, Taxonomy Mappings, Weakness Ordinalities
2009-05-27CWE Content TeamMITREInternal
updated Related Attack Patterns