CWE-610 Externally Controlled Reference
What this means
SiteShadow flagged a reference/target that is controlled by external input (URL, redirect target, file/resource identifier, host, bucket key). If attackers can choose "where you go" or "what you fetch/read", they can often turn it into SSRF, open redirects, or data access bypasses.
Why it matters
This can enable open redirects, SSRF, or data access abuse.
- Open redirect/phishing: attackers send users through your trusted domain to a malicious site (see
CWE-601). - SSRF/data exfiltration: the server fetches attacker-chosen URLs, including internal services (see
CWE-918). - Authorization bypass: users reference resources they shouldn't access (IDOR-style; see
CWE-286/CWE-863).
Safer examples
1) Use allowlists for destinations
Map user choices to known destinations rather than accepting raw URLs or resource names.
const destinations = { home: "/home", billing: "/billing" };
const key = destinations[req.query.to] ? req.query.to : "home";
res.redirect(destinations[key]);2) If URLs are required, allowlist scheme + host
from urllib.parse import urlparse
u = urlparse(input_url)
if u.scheme not in ("https",):
raise ValueError("Invalid scheme")
if u.hostname not in {"api.example.com"}:
raise ValueError("Invalid host")3) Enforce authorization on referenced resources
Even with "valid" references, check the caller is allowed to access the target resource.
How SiteShadow detects it (high level)
- Detects redirect/fetch/file/resource selection code paths influenced by request/user input.
- Flags missing allowlists, host validation, and authorization checks near the sink.
References
- CWE-610: https://cwe.mitre.org/data/definitions/610.html
---