Business Logic / Ability to Forge Requests

Description

Ability to Forge Requests is a vulnerability in Web and API applications that can allow attackers to send requests with forged data to the application. This vulnerability is classified under CWE-502 (Deserialization of Untrusted Data) in the Common Weakness Enumeration (CWE) directory and is identified as a Business Logic vulnerability in the OWASP Testing Guide.

Risk

The risk of Ability to Forge Requests can be severe, as attackers can access or modify data in the application, allowing them to steal data, manipulate data, or disrupt normal application operations. This risk can be further increased if the application does not validate inputs properly and allows requests with forged data to pass through.

Solution

The best solution to protect against Ability to Forge Requests is to properly validate all requests and inputs to the application. All inputs should be checked against a whitelist of acceptable values and any requests with forged data should be rejected.

Example

An example of Ability to Forge Requests can be seen in CVE-2018-8014, where attackers could exploit a vulnerability in the Joomla! CMS to send requests with forged data, allowing them to gain administrator privileges and access sensitive data.

// vulnerable code
$data = file_get_contents('php://input');
$data = unserialize($data);

if (isset($data['action']) && $data['action'] == 'login') {
    // process login
}

// safe version
if (isset($data['action']) && in_array($data['action'], array('login', 'logout', 'reset'))) {
    // process login
}