CWE Glossary

CWE is a trademark of the MITRE Corporation.

Stay in touch

Application security insights and invitations to exclusive events in your inbox


Your data will stay confidential Private and Confidential

Insufficient Verification of Data Authenticity [CWE-345]

This weakness describes improper or absent verification of input data authenticity.

Created: December 11, 2013
Latest Update: August 6, 2015

Table of Content

  1. Description
  2. Potential impact
  3. Attack patterns
  4. Affected software
  5. Exploitation Examples
  6. Severity and CVSS Scoring
  7. Mitigations
  8. References
  9. Latest Related Security Advisories

1. Description

This class of weaknesses is a result of trust issues between data exchange parties. If application fails to verify data origin or its authenticity, an attacker might be able to perform spoofing attacks against vulnerable application or its clients. Lack of data authenticity verification may arise in a variety of situations and most likely to be introduced at design and implementation stages of application development process.

CWE-345 should be considered as a class of weaknesses and it’s a parent element for such entries as Cross-sire Request Forgery.

In this paper we will try to cover most common cases of this weakness and provide possible workarounds and mitigation techniques.

Server-side vulnerabilities

Server applications are designed to work with multiple clients. If such application fails to correctly verify its clients, a malicious user might leverage this weakness and perform certain unauthorized actions.

1.1 User identity spoofing

As an example of this weakness we will use a simple PHP script that displays contents of a customer’s basket based on user and basket identifiers:

  1. <?php
  2. $BasketID = intval($_GET["id"]); // Basket identifier
  3. if ($BasketID):
  4.         // Selecting records from MySQL database
  5.         $rs = $DB->Query("select * from tbl_basket where id='".$BasketID."'");
  6. while ($ar = $rs->Fetch()):
  7.                 CBasket::DisplayItem($ar); // Displaying output using CBasket::DisplayItem() function
  8. endwhile;
  9. endif;
  10. ?>

An attacker who knows basket identifier can successfully view contents of arbitrary basket.

1.2 CWE:352 - Cross-site Request Forgery

The following example contains a simple HTML form that is used to leave comments for website owners:

  1. <form name="tstForm" action="/index.php" method="POST">
  2. <input type="text" name="sName" value="" />
  3. <textarea name="sText"></textarea>
  4. <input type="submit" name="btSubmit" value="Send!">
  5. </form>

The above form sends HTTP request to the /index.php script. The index.php script contains the following code:

  1. <?
  2. $sName = $_POST["sName"];
  3. $sText = $_POST["sText"];
  4. If ($sName && $sText && CUser::IsAuthorized())
  5. CComment::AddComment($sName, $sText);
  6. Else
  7. Echo "Error";
  8. ?>

The above code allows publication of a comment when certain conditions are met. If $sName and $sText variables are not empty and user is authenticated in application, the function CComment::AddComment will be executed and comment will be published. An attacker can trick victim into visiting a webpage that sends the same request to the application. If the victim is authenticated within this application, the comment will be published too.

Client-side vulnerabilities

Client applications that do not verify authenticity of server application are also prone to this weakness. Great example of this vulnerability in client-side applications is Man-in-the-Middle attack, where an attacker is able to spoof server identity and perform certain actions against clients.

2. Potential impact

An attacker who controls user input or is able to influence network connectivity can perform a variety of actions and gain access to potentially sensitive information or event execute arbitrary code on vulnerable system.

3. Attack patterns

An attacker might use the following attack patterns to exploit this weakness:


This weakness is partially described under WASC-37 (Session Fixation) in WASC Threat Classification.

4. Affected software

Any application that handles input data can be vulnerable to this weakness.

5. Exploitation Examples

We will demonstrate exploitation of insufficient validation of data authenticity against a popular content management system Bitrix Site Manager. Security advisory HTB23183 describes vulnerability in e-Store Module of Bitrix Site Manager.

/bitrix/modules/sale/general/basket.php script is using the BITRIX_SM_SALE_UID cookie to identify a guest user as shown on the image below:

HTB23183 advisory CWE-345 PoC exploitation example

Let’s create a new order using different browser and then increase the value of the BITRIX_SM_SALE_UID cookie by 1:

HTB23183 advisory CWE-345 PoC exploitation example

This example demonstrates how an attacker can spoof identity of a valid customer and view contents of arbitrary basket.

6. Severity and CVSS Scoring

Insufficient verification of data authenticity may lead to different impacts and should be scored considering maximum possible impact. Access complexity in client applications is usually set to medium due to possible complication in exploitation process.

Remote Code Execution

A remote code execution vulnerability in server application should be scored as follows:
9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) – Critical severity.

Content Spoofing

4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) – Medium severity.

Information Disclosure Vulnerability

4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) – Medium severity.

Data Manipulation Vulnerability

6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) – Medium severity.

7. Mitigations

The only way to protect application against this weakness is to perform additional checks on data authenticity. When developing the application consider all possible input data sources and use unique tokens to validate user input, always verify client and server identity.

8. References

  1. CWE-345: Insufficient Verification of Data Authenticity [cwe.mitre.org]

9. Latest HTB Security Advisories with CWE-22


Copyright Disclaimer: Any above-mentioned content can be copied and used for non-commercial purposes only if proper credit to High-Tech Bridge is given.

↑ Back to Top
High-Tech Bridge on Facebook High-Tech Bridge on Twitter High-Tech Bridge on LinkedIn High-Tech Bridge RSS Feeds Send by Email
Share
Let's Talk