CWE-346 Clase Borrador

Origin Validation Error

This vulnerability occurs when an application fails to properly confirm the true origin of incoming data or communication, allowing attackers to spoof their source.

Definición

What is CWE-346?

This vulnerability occurs when an application fails to properly confirm the true origin of incoming data or communication, allowing attackers to spoof their source.
Origin Validation Errors happen because applications often trust metadata like IP addresses, DNS names, or HTTP headers that can be easily forged. Attackers exploit this by impersonating legitimate systems, tricking the application into accepting malicious data as if it came from a trusted source. This is a fundamental flaw in the trust boundary of the system. To prevent this, developers must implement robust verification mechanisms that rely on unforgeable credentials, such as cryptographic signatures or secure tokens, rather than easily spoofed information. Always validate the origin at the point of trust establishment and consistently enforce this check for all subsequent interactions.
Impacto en el mundo real

Real-world CVEs caused by CWE-346

  • CVE-2000-1218

    DNS server can accept DNS updates from hosts that it did not query, leading to cache poisoning

  • CVE-2018-6074

    Browser does not set Mark-of-the-Web (MotW) for a downloaded .EXE file if the name is close to the maximum path length, preventing recording of a zone identifier in the filename

  • CVE-2025-0411

    Zip file extraction program does not propagate Mark-of-the-Web (MotW) metadata to files that are extracted from an Internet-downloaded Zip file

  • CVE-2025-46652

    Zip file extraction program does not propagate Mark-of-the-Web (MotW) metadata to files that are extracted from an Internet-downloaded Zip file

  • CVE-2005-0877

    DNS server can accept DNS updates from hosts that it did not query, leading to cache poisoning

  • CVE-2001-1452

    DNS server caches glue records received from non-delegated name servers

  • CVE-2005-2188

    user ID obtained from untrusted source (URL)

  • CVE-2003-0174

    LDAP service does not verify if a particular attribute was set by the LDAP server

Cómo lo explotan los atacantes

Ruta del atacante paso a paso

  1. 1

    This Android application will remove a user account when it receives an intent to do so:

  2. 2

    This application does not check the origin of the intent, thus allowing any malicious application to remove a user. Always check the origin of an intent, or create an allowlist of trusted applications using the manifest.xml file.

  3. 3

    These Android and iOS applications intercept URL loading within a WebView and perform special actions if a particular URL scheme is used, thus allowing the Javascript within the WebView to communicate with the application:

  4. 4

    A call into native code can then be initiated by passing parameters within the URL:

  5. 5

    Because the application does not check the source, a malicious website loaded within this WebView has the same access to the API as a trusted site.

Ejemplo de código vulnerable

Vulnerable Java

This Android application will remove a user account when it receives an intent to do so:

Vulnerable Java 
IntentFilter filter = new IntentFilter("com.example.RemoveUser");
  MyReceiver receiver = new MyReceiver();
  registerReceiver(receiver, filter);
  public class DeleteReceiver extends BroadcastReceiver {
  	@Override
  	public void onReceive(Context context, Intent intent) {
  		int userID = intent.getIntExtra("userID");
  		destroyUserData(userID);
  	}
  }
Payload del atacante

A call into native code can then be initiated by passing parameters within the URL:

Payload del atacante JavaScript 
window.location = examplescheme://method?parameter=value
Ejemplo de código seguro

Secure pseudo

Seguro pseudo 
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
  const safe = validateAndEscape(input);
  return executeWithGuards(safe);
}
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Lista de prevención

How to prevent CWE-346

  • Architecture Use safe-by-default frameworks and APIs that prevent the unsafe pattern from being expressible.
  • Implementation Validate input at trust boundaries; use allowlists, not denylists.
  • Implementation Apply the principle of least privilege to credentials, file paths, and runtime permissions.
  • Testing Cover this weakness in CI: SAST rules + targeted unit tests for the data flow.
  • Operation Monitor logs for the runtime signals listed in the next section.
Señales de detección

How to detect CWE-346

SAST High

Ejecuta análisis estático (SAST) sobre el código buscando el patrón inseguro en el flujo de datos.

DAST Moderate

Ejecuta pruebas dinámicas de seguridad de aplicaciones (DAST) contra el endpoint en vivo.

Runtime Moderate

Vigila los logs en tiempo de ejecución para detectar trazas de excepción inusuales, entradas malformadas o intentos de bypass de autorización.

Code review Moderate

Revisión de código: marca cualquier código nuevo que maneje entrada desde esta superficie sin usar los helpers validados del framework.

Auto-corrección de Plexicus

Plexicus detecta automáticamente CWE-346 y abre un PR de corrección en menos de 60 segundos.

Codex Remedium escanea cada commit, identifica esta debilidad concreta y entrega un pull request listo para revisión con el parche. Sin tickets. Sin traspasos.

Solicitar demo Probar Plexicus gratis
Preguntas frecuentes

Frequently asked questions

¿Qué es CWE-346?

This vulnerability occurs when an application fails to properly confirm the true origin of incoming data or communication, allowing attackers to spoof their source.

¿Qué gravedad tiene CWE-346?

MITRE no ha publicado una calificación de probabilidad de explotación para esta debilidad. Trátala como de impacto medio hasta que tu modelo de amenazas demuestre lo contrario.

¿Qué lenguajes o plataformas se ven afectados por CWE-346?

MITRE no ha especificado plataformas afectadas para esta CWE — puede aplicar a la mayoría de los stacks de aplicaciones.

¿Cómo puedo prevenir CWE-346?

Use safe-by-default frameworks, validate untrusted input at trust boundaries, and apply the principle of least privilege. Cover the data-flow signature in CI with SAST.

¿Cómo detecta y corrige Plexicus CWE-346?

El motor SAST de Plexicus detecta la firma de flujo de datos para CWE-346 en cada commit. Cuando hay coincidencia, nuestro agente Codex Remedium abre un PR de corrección con el código corregido, las pruebas y un resumen de una línea para el revisor.

¿Dónde puedo aprender más sobre CWE-346?

MITRE publica la definición canónica en https://cwe.mitre.org/data/definitions/346.html. También puedes consultar la documentación de OWASP y NIST para guías relacionadas.

Debilidades relacionadas

Weaknesses related to CWE-346

CWE-345 Padre

Insufficient Verification of Data Authenticity

This vulnerability occurs when an application fails to properly check where data comes from or confirm its legitimacy, allowing untrusted…

CWE-1293 Hermano

Missing Source Correlation of Multiple Independent Data

This vulnerability occurs when a system trusts a single source of data without verification, making it impossible to detect if that source…

CWE-347 Hermano

Improper Verification of Cryptographic Signature

This vulnerability occurs when an application fails to properly check the digital signature on data, or skips the verification step…

CWE-348 Hermano

Use of Less Trusted Source

This vulnerability occurs when a system has access to multiple sources for the same critical data, but it chooses to rely on the less…

CWE-349 Hermano

Acceptance of Extraneous Untrusted Data With Trusted Data

This vulnerability occurs when a system processes both trusted and untrusted data together, but fails to separate them. The application…

CWE-351 Hermano

Insufficient Type Distinction

This vulnerability occurs when an application fails to properly differentiate between different types of data or objects, leading to…

CWE-352 Hermano

Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) happens when a web application cannot reliably tell if a user actually intended to submit a request,…

CWE-353 Hermano

Missing Support for Integrity Check

This vulnerability occurs when a system uses a communication protocol that lacks built-in integrity verification, such as a checksum or…

CWE-354 Hermano

Improper Validation of Integrity Check Value

This vulnerability occurs when software fails to properly check the integrity of data by validating its checksum or hash value. Without…

Recursos

Further reading

Listo cuando tú lo estés

Deja de pagar por desarrollador.
Empieza a cerrar el bucle.

Plexicus es el ASPM nativo de IA que escanea, filtra, corrige, pentestea y explica — de forma autónoma. Desarrolladores ilimitados, repos ilimitados, acciones de IA de uso justo. Nivel gratuito real, €269/mo anual cuando estés listo.

Comenzar gratis Reservar una demo