1 vulnerabilities classified as CWE-293 (使用Refer域进行认证). AI Chinese analysis included.
CWE-293 represents a critical authentication weakness where applications incorrectly rely on the HTTP Referer header to verify user identity or session validity. Because this header is entirely client-controlled, attackers can easily forge or manipulate its value to bypass security checks, effectively impersonating legitimate users or accessing restricted resources without proper credentials. This exploitation undermines the integrity of the authentication process, allowing unauthorized access through simple request modification. To prevent this vulnerability, developers must never use the Referer field as a sole mechanism for security decisions. Instead, they should implement robust, server-side authentication protocols that utilize secure tokens, such as signed cookies or JWTs, ensuring that access control relies on cryptographically verified data rather than easily spoofed HTTP headers.
String trustedReferer = "http://www.example.com/" while(true){ n = read(newsock, buffer, BUFSIZE); requestPacket = processPacket(buffer, n); if (requestPacket.referer == trustedReferer){ openNewSecureSession(requestPacket); } }boolean processConnectionRequest(HttpServletRequest request){ String referer = request.getHeader("referer") String trustedReferer = "http://www.example.com/" if(referer.equals(trustedReferer)){ openPrivilegedConnection(request); return true; } else{ sendPrivilegeError(request); return false; } }| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2023-20025 | Cisco Small Business RV016 输入验证错误漏洞 — Cisco Small Business RV Series Router Firmware | 9.0 | Critical | 2023-01-19 |
Vulnerabilities classified as CWE-293 (使用Refer域进行认证) represent 1 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.