CWE-940: Improper Verification of Source of a Communication Channel

Description

The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is coming from the expected origin.

Submission Date :

Feb. 13, 2014, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

MITRE
Extended Description

When an attacker can successfully establish a communication channel from an untrusted origin, the attacker may be able to gain privileges and access unexpected functionality.

Example Vulnerable Codes

Example - 1

This Android application will remove a user account when it receives an intent to do so:




int userID = intent.getIntExtra("userID");destroyUserData(userID);@Overridepublic void onReceive(Context context, Intent intent) {}IntentFilter filter = new IntentFilter("com.example.RemoveUser");MyReceiver receiver = new MyReceiver();registerReceiver(receiver, filter);public class DeleteReceiver extends BroadcastReceiver {}

This application does not check the origin of the intent, thus allowing any malicious application to remove a user. Always check the origin of an intent, or create an allowlist of trusted applications using the manifest.xml file.

Example - 2

These Android and iOS applications intercept URL loading within a WebView and perform special actions if a particular URL scheme is used, thus allowing the Javascript within the WebView to communicate with the application:

// // Android// 

writeDataToView(view, UserData);return false;
return true;if(url.substring(14,25).equalsIgnoreCase("getUserInfo")){}else{}if (url.substring(0,14).equalsIgnoreCase("examplescheme:")){}@Overridepublic boolean shouldOverrideUrlLoading(WebView view, String url){}
// // iOS// 



// // Make data available back in webview.// 
UIWebView *webView = [self writeDataToView:[URL query]];
NSString *functionString = [URL resourceSpecifier];if ([functionString hasPrefix:@"specialFunction"]){}return NO;
NSURL *URL = [exRequest URL];if ([[URL scheme] isEqualToString:@"exampleScheme"]){}return YES;-(BOOL) webView:(UIWebView *)exWebView shouldStartLoadWithRequest:(NSURLRequest *)exRequest navigationType:(UIWebViewNavigationType)exNavigationType{}

A call into native code can then be initiated by passing parameters within the URL:

window.location = examplescheme://method?parameter=value

Because the application does not check the source, a malicious website loaded within this WebView has the same access to the API as a trusted site.

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-346: Origin Validation Error
Go to
CWE-923: Improper Restriction of Communication Channel to Intended Endpoints
Go to
CWE-925: Improper Verification of Intent by Broadcast Receiver
Go to

Visit http://cwe.mitre.org/ for more details.