CWE-940 Base Incompleto

Improper Verification of Source of a Communication Channel

This vulnerability occurs when an application accepts incoming communication requests without properly checking where they originate from, allowing potentially malicious sources to establish a…

Definición

What is CWE-940?

This vulnerability occurs when an application accepts incoming communication requests without properly checking where they originate from, allowing potentially malicious sources to establish a connection.
When an application fails to verify the true source of a communication channel—such as a network connection, inter-process communication, or API request—it essentially opens a door without checking who's knocking. Attackers can exploit this by spoofing their origin, making malicious traffic appear legitimate, and tricking the system into accepting unauthorized connections. This lack of verification can lead to severe security breaches, including privilege escalation, data theft, or unauthorized access to internal functionality. Developers should implement strong origin validation—like checking IP addresses, using authentication handshakes, or verifying cryptographic signatures—before establishing any communication channel to ensure only trusted sources can interact with the system.
Impacto en el mundo real

Real-world CVEs caused by CWE-940

  • CVE-2000-1218

    DNS server can accept DNS updates from hosts that it did not query, leading to cache poisoning

  • CVE-2005-0877

    DNS server can accept DNS updates from hosts that it did not query, leading to cache poisoning

  • CVE-2001-1452

    DNS server caches glue records received from non-delegated name servers

Cómo lo explotan los atacantes

Ruta del atacante paso a paso

  1. 1

    This Android application will remove a user account when it receives an intent to do so:

  2. 2

    This application does not check the origin of the intent, thus allowing any malicious application to remove a user. Always check the origin of an intent, or create an allowlist of trusted applications using the manifest.xml file.

  3. 3

    These Android and iOS applications intercept URL loading within a WebView and perform special actions if a particular URL scheme is used, thus allowing the Javascript within the WebView to communicate with the application:

  4. 4

    A call into native code can then be initiated by passing parameters within the URL:

  5. 5

    Because the application does not check the source, a malicious website loaded within this WebView has the same access to the API as a trusted site.

Ejemplo de código vulnerable

Vulnerable Java

This Android application will remove a user account when it receives an intent to do so:

Vulnerable Java 
IntentFilter filter = new IntentFilter("com.example.RemoveUser");
  MyReceiver receiver = new MyReceiver();
  registerReceiver(receiver, filter);
  public class DeleteReceiver extends BroadcastReceiver {
  	@Override
  	public void onReceive(Context context, Intent intent) {
  		int userID = intent.getIntExtra("userID");
  		destroyUserData(userID);
  	}
  }
Payload del atacante

A call into native code can then be initiated by passing parameters within the URL:

Payload del atacante JavaScript 
window.location = examplescheme://method?parameter=value
Ejemplo de código seguro

Secure pseudo

Seguro pseudo 
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
  const safe = validateAndEscape(input);
  return executeWithGuards(safe);
}
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Lista de prevención

How to prevent CWE-940

  • Architecture and Design Use a mechanism that can validate the identity of the source, such as a certificate, and validate the integrity of data to ensure that it cannot be modified in transit using an Adversary-in-the-Middle (AITM) attack. When designing functionality of actions in the URL scheme, consider whether the action should be accessible to all mobile applications, or if an allowlist of applications to interface with is appropriate.
Señales de detección

How to detect CWE-940

SAST High

Ejecuta análisis estático (SAST) sobre el código buscando el patrón inseguro en el flujo de datos.

DAST Moderate

Ejecuta pruebas dinámicas de seguridad de aplicaciones (DAST) contra el endpoint en vivo.

Runtime Moderate

Vigila los logs en tiempo de ejecución para detectar trazas de excepción inusuales, entradas malformadas o intentos de bypass de autorización.

Code review Moderate

Revisión de código: marca cualquier código nuevo que maneje entrada desde esta superficie sin usar los helpers validados del framework.

Auto-corrección de Plexicus

Plexicus detecta automáticamente CWE-940 y abre un PR de corrección en menos de 60 segundos.

Codex Remedium escanea cada commit, identifica esta debilidad concreta y entrega un pull request listo para revisión con el parche. Sin tickets. Sin traspasos.

Solicitar demo Probar Plexicus gratis
Preguntas frecuentes

Frequently asked questions

¿Qué es CWE-940?

This vulnerability occurs when an application accepts incoming communication requests without properly checking where they originate from, allowing potentially malicious sources to establish a connection.

¿Qué gravedad tiene CWE-940?

MITRE no ha publicado una calificación de probabilidad de explotación para esta debilidad. Trátala como de impacto medio hasta que tu modelo de amenazas demuestre lo contrario.

¿Qué lenguajes o plataformas se ven afectados por CWE-940?

MITRE lists the following affected platforms: Mobile.

¿Cómo puedo prevenir CWE-940?

Use a mechanism that can validate the identity of the source, such as a certificate, and validate the integrity of data to ensure that it cannot be modified in transit using an Adversary-in-the-Middle (AITM) attack. When designing functionality of actions in the URL scheme, consider whether the action should be accessible to all mobile applications, or if an allowlist of applications to interface with is appropriate.

¿Cómo detecta y corrige Plexicus CWE-940?

El motor SAST de Plexicus detecta la firma de flujo de datos para CWE-940 en cada commit. Cuando hay coincidencia, nuestro agente Codex Remedium abre un PR de corrección con el código corregido, las pruebas y un resumen de una línea para el revisor.

¿Dónde puedo aprender más sobre CWE-940?

MITRE publica la definición canónica en https://cwe.mitre.org/data/definitions/940.html. También puedes consultar la documentación de OWASP y NIST para guías relacionadas.

Debilidades relacionadas

Weaknesses related to CWE-940

CWE-923 Padre

Improper Restriction of Communication Channel to Intended Endpoints

This vulnerability occurs when a system opens a communication channel for a sensitive task but fails to properly verify that it's actually…

CWE-1275 Hermano

Sensitive Cookie with Improper SameSite Attribute

This vulnerability occurs when a sensitive cookie does not have a secure SameSite attribute configured, leaving it exposed to cross-site…

CWE-291 Hermano

Reliance on IP Address for Authentication

This vulnerability occurs when a system uses a client's IP address as the sole or primary method to verify their identity.

CWE-297 Hermano

Improper Validation of Certificate with Host Mismatch

This vulnerability occurs when an application accepts a valid SSL/TLS certificate without properly verifying that it actually belongs to…

CWE-300 Hermano

Channel Accessible by Non-Endpoint

This vulnerability occurs when a system fails to properly verify who is on the other end of a communication link or to secure the channel…

CWE-419 Hermano

Unprotected Primary Channel

This vulnerability occurs when an application exposes a privileged administrative interface or restricted functionality through a primary…

CWE-420 Hermano

Unprotected Alternate Channel

This vulnerability occurs when an application secures its main communication path but leaves a backup or alternative channel with weaker…

CWE-941 Hermano

Incorrectly Specified Destination in a Communication Channel

This vulnerability occurs when an application establishes an outgoing communication channel but fails to correctly define or enforce the…

CWE-942 Hermano

Permissive Cross-domain Security Policy with Untrusted Domains

This vulnerability occurs when a web application's cross-domain security policy, like a Content Security Policy (CSP), explicitly allows…

Recursos

Further reading

Listo cuando tú lo estés

Deja de pagar por desarrollador.
Empieza a cerrar el bucle.

Plexicus es el ASPM nativo de IA que escanea, filtra, corrige, pentestea y explica — de forma autónoma. Desarrolladores ilimitados, repos ilimitados, acciones de IA de uso justo. Nivel gratuito real, €269/mo anual cuando estés listo.

Comenzar gratis Reservar una demo