LiveActive security incident?Get immediate response
CWE Reference

CWE-807: Reliance on Untrusted Inputs in a Security… | Glexia

CWE-807 (Reliance on Untrusted Inputs in a Security Decision) weakness overview with consequences, detection methods, mitigations, related CVEs and MITRE ATT&CK…

Release 4.20weaknessIncomplete

Glexia's Take · Automated analysis

CWE-807: Reliance on Untrusted Inputs in a Security Decision

Reliance on Untrusted Inputs in a Security Decision represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.

Executive Impact

  • Confidentiality,Access Control,Availability,Other: Bypass Protection Mechanism,Gain Privileges or Assume Identity,Varies by Context: Attackers can bypass the security decision to access whatever is being protected. The consequences will depend on the associated functionality, but they can range from granting additional privileges to untrusted users to bypassing important security checks. Ultimately, this weakness may lead to exposure or modification of sensitive data, system crash, or execution of arbitrary code.

Developer Pattern

CWE-807 is the kind of defect developers can usually prevent with explicit validation, safer framework defaults, and tests that exercise hostile input or unsafe state transitions.

Automation confidence

high confidence from CWE-807, 4.20.

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Official CWE Definition

CWE-807: Reliance on Untrusted Inputs in a Security Decision

The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.

Type
weakness
Abstraction
Base
Status
Incomplete
Source
MITRE CWE definition

Developer And Remediation Guidance

How teams prevent and detect this weakness

Causes

  • The following code excerpt reads a value from a browser cookie to determine the role of the user.
  • The following code could be for a medical records application. It performs authentication by checking if a cookie has been set. The programmer expects that the AuthenticateUser() check will always be applied, and the "authenticated" cookie will only be set when authentication succeeds. The programmer even diligently specifies a 2-hour expiration for the cookie.,However, the attacker can set the "authenticated" cookie to a non-zero value such as 1. As a result, the $auth variable is 1, and the AuthenticateUser() check is not even performed. The attacker has bypassed the authentication.
  • In the following example, an authentication flag is read from a browser cookie, thus allowing for external control of user state data.
  • The following code samples use a DNS lookup in order to decide whether or not an inbound request is from a trusted host. If an attacker can poison the DNS cache, they can gain trusted status. IP addresses are more reliable than DNS names, but they can also be spoofed. Attackers can easily forge the source IP address of the packets they send, but response packets will return to the forged IP address. To see the response packets, the attacker has to sniff the traffic between the victim machine and the forged IP address. In order to accomplish the required sniffing, attackers typically attempt to locate themselves on the same subnet as the victim machine. Attackers may be able to circumvent this requirement by using source routing, but source routing is disabled across much of the Internet today. In summary, IP address verification can be a useful part of an authentication scheme, but it should not be the single factor required for authentication.

Remediation

  • Architecture and Design:
  • Architecture and Design: For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
  • Operation,Implementation: When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues.
  • Architecture and Design,Implementation:

Detection

  • Manual Static Analysis: Since this weakness does not typically appear frequently within a single software package, manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all potentially-vulnerable operations can be assessed within limited time constraints.
  • Automated Static Analysis - Binary or Bytecode:
  • Manual Static Analysis - Binary or Bytecode:
  • Dynamic Analysis with Automated Results Interpretation:
  • Dynamic Analysis with Manual Results Interpretation:
  • Manual Static Analysis - Source Code:
  • Automated Static Analysis - Source Code:
  • Architecture or Design Review:

Mappings

Related CVEs, CWEs, and ATT&CK context