Back to CWE list
CWE-293
Using Referer Field for Authentication
Variant
Draft
Description
The referer field in HTTP requests can be easily modified and, as such, is not a valid means of message integrity checking.
Parent Weaknesses (ChildOf)
Common Consequences
Scope
Access Control
Impact
Gain Privileges or Assume Identity
Potential Mitigations
Architecture and Design
In order to usefully check if a given action is authorized, some means of strong authentication and method protection must be used. Use other means of authorization that cannot be simply spoofed. Possibilities include a username/password or certificate.
Applicable Platforms
Not Language-Specific
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now