Externally Controlled Reference to a Resource in Another Sphere

Description

This vulnerability occurs when an application uses user-supplied input to reference a resource located outside its intended security boundary, allowing attackers to redirect operations to unintended locations.

Extended Description

This flaw typically happens when developers treat all resource identifiers (like filenames, URLs, or keys) as safe, even when they come from untrusted sources like user input, configuration files, or API responses. Attackers exploit this by injecting paths or references that "escape" the application's intended directory, server, or cloud environment—often using sequences like `../` to traverse directories or full URLs to external systems. The core issue is a failure to validate that a referenced resource actually resides within the allowed security sphere before accessing it. To prevent this, always validate and sanitize all resource references against an allow-list of permitted locations. Implement strict access controls and use mechanisms like chroot jails, container boundaries, or signed URLs to enforce isolation. Never rely solely on input filtering; instead, design your system to map user-provided identifiers to actual resources through an indirect reference map or lookup table that you fully control.

Common Consequences 2

Scope: ConfidentialityIntegrity

Impact: Read Application DataModify Application Data

An adversary could read or modify data, depending on how the resource is intended to be used.

Scope: Access Control

Impact: Gain Privileges or Assume Identity

An adversary that can supply a reference to an unintended resource can potentially access a resource that they do not have privileges for, thus bypassing existing access control mechanisms.

Demonstrative Examples 1

ID : DX-194

The following code is a Java servlet that will receive a GET request with a url parameter in the request to redirect the browser to the address specified in the url parameter. The servlet will retrieve the url parameter value from the request and send a response to redirect the browser to the url address.

Code Example:Bad
Java
java

The problem with this Java servlet code is that an attacker could use the RedirectServlet as part of an e-mail phishing scam to redirect users to a malicious site. An attacker could send an HTML formatted e-mail directing the user to log into their account by including in the e-mail the following link:

Code Example:Attack
HTML
html

The user may assume that the link is safe since the URL starts with their trusted bank, bank.example.com. However, the user will then be redirected to the attacker's web site (attacker.example.net) which the attacker may have made to appear very similar to bank.example.com. The user may then unwittingly enter credentials into the attacker's web page and compromise their bank account. A Java servlet should never redirect a user to a URL without verifying that the redirect address is a trusted site.

Observed Examples 6

CVE-2022-3032An email client does not block loading of remote objects in a nested document.

CVE-2022-45918Chain: a learning management tool debugger uses external input to locate previous session logs (External Control of File Name or Path) and does not properly validate the given path (Improper Input Validation), allowing for filesystem path traversal using "../" sequences (Path Traversal: '../filedir')

CVE-2018-1000613Cryptography API uses unsafe reflection when deserializing a private key

CVE-2020-11053Chain: Go-based Oauth2 reverse proxy can send the authenticated user to another site at the end of the authentication flow. A redirect URL with HTML-encoded whitespace characters can bypass the validation (Improper Validation of Unsafe Equivalence in Input) to redirect to a malicious site (URL Redirection to Untrusted Site ('Open Redirect'))

CVE-2022-42745Recruiter software allows reading arbitrary files using XXE

CVE-2004-2331Database system allows attackers to bypass sandbox restrictions by using the Reflection API.

Modes of Introduction

Architecture and Design

Related Attack Patterns

219
Storage of File with Sensitive Data Under Web Root

Related Weaknesses

ChildOf:

Improper Control of a Resource Through its Lifetime (CWE-664)

Notes

RelationshipThis is a general class of weakness, but most research is focused on more specialized cases, such as path traversal (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')) and symlink following (UNIX Symbolic Link (Symlink) Following). A symbolic link has a name; in general, it appears like any other file in the file system. However, the link includes a reference to another file, often in another directory - perhaps in another sphere of control. Many common library functions that accept filenames will "follow" a symbolic link and use the link's target instead.

MaintenanceThe relationship between Improper Control of Resource Identifiers ('Resource Injection') and Externally Controlled Reference to a Resource in Another Sphere needs further investigation and clarification. They might be duplicates. Improper Control of Resource Identifiers ('Resource Injection') "Resource Injection," as originally defined in Seven Pernicious Kingdoms taxonomy, emphasizes the "identifier used to access a system resource" such as a file name or port number, yet it explicitly states that the "resource injection" term does not apply to "path manipulation," which effectively identifies the path at which a resource can be found and could be considered to be one aspect of a resource identifier. Also, Externally Controlled Reference to a Resource in Another Sphere effectively covers any type of resource, whether that resource is at the system layer, the application layer, or the code layer.