Corgea LogoCorgea Security Hub

CWE-837: Improper Enforcement of a Single, Unique Action

Learn about CWE-837 (Improper Enforcement of a Single, Unique Action), its security impact, exploitation methods, and prevention guidelines.

What is Improper Enforcement of a Single, Unique Action?

• Overview: Improper Enforcement of a Single, Unique Action (CWE-837) occurs when software does not adequately ensure that certain actions can only be performed once. For example, a user might be allowed to vote, request a refund, or complete a transaction only once, but if these restrictions are not enforced, it can lead to multiple unauthorized actions.

• Exploitation Methods:

  • Attackers may exploit this vulnerability by repeating actions that should be singular, such as voting multiple times in an election application or submitting multiple refund requests.
  • Common attack patterns include replay attacks where previously valid requests are resent to the server, or brute force techniques that repeatedly attempt to perform the action until successful.

• Security Impact:

  • Direct consequences include unauthorized actions being performed multiple times, leading to incorrect data or service logic being executed.
  • Potential cascading effects may involve data corruption, resource depletion, or service disruption.
  • Business impact can be significant, such as financial loss, reputational damage, or loss of trust, especially if critical actions like monetary transactions or voting are involved.

• Prevention Guidelines:

  • Specific code-level fixes include implementing mechanisms like unique tokens or nonces to ensure actions can only be performed once.
  • Security best practices involve validating the uniqueness of each action server-side, using timestamps, or audit logs to track actions.
  • Recommended tools and frameworks often include those providing built-in anti-replay protections, such as secure session management tools or libraries for handling unique transaction identifiers.
Corgea can automatically detect and fix Improper Enforcement of a Single, Unique Action in your codebase. [Try Corgea free today](https://corgea.app).

Technical Details

Likelihood of Exploit: Not specified

Affected Languages: Not Language-Specific

Affected Technologies: Not specified

Vulnerable Code Example

// This function allows a user to redeem a discount code for a purchase.
// However, it does not enforce the restriction that the code can only be used once per user.
function redeemDiscount(userId, discountCode) {
    // Assume discounts is a global object storing discount codes and their usage
    if (discounts[discountCode] && discounts[discountCode].isValid) {
        // Apply discount to user's account without checking if it's been used before
        applyDiscount(userId, discountCode);
        console.log("Discount applied successfully.");
    } else {
        console.log("Invalid or expired discount code.");
    }
}

Explanation

In this vulnerable code example, the function redeemDiscount allows users to redeem a discount code without any checks to ensure that the code is only used once per user. This can lead to abuse where a user repeatedly uses the same discount code, violating the intended single-use policy.

How to fix Improper Enforcement of a Single, Unique Action?

To fix this vulnerability, we need to ensure that each discount code can only be redeemed once per user. This requires maintaining a record of which users have already used which discount codes. A common approach is to use a data structure (e.g., a database or a set) to track the usage of each discount code by user ID. Once a user has redeemed a code, their ID should be logged to prevent subsequent redemptions.

Fixed Code Example

// Improved function with proper enforcement of a single, unique action per user.
function redeemDiscount(userId, discountCode) {
    // Assume discounts is a global object storing discount codes and their usage
    // Assume usedDiscounts is a global object mapping userIds to a set of used discount codes
    if (discounts[discountCode] && discounts[discountCode].isValid) {
        // Initialize the user's set of used discount codes if not already done
        if (!usedDiscounts[userId]) {
            usedDiscounts[userId] = new Set();
        }

        // Check if the user has already used this discount code
        if (!usedDiscounts[userId].has(discountCode)) {
            // Apply discount to user's account
            applyDiscount(userId, discountCode);
            // Mark discount as used for this user
            usedDiscounts[userId].add(discountCode);
            console.log("Discount applied successfully.");
        } else {
            console.log("Discount code already used by this user.");
        }
    } else {
        console.log("Invalid or expired discount code.");
    }
}

Explanation

In the fixed code example, we introduced the usedDiscounts object to track which discount codes have been used by each user. Before applying the discount, we check if the user has already used the code. If not, we proceed with the application and record the usage. This ensures that a discount code can only be applied once per user, effectively mitigating the CWE-837 vulnerability. This approach ensures that the system respects the single-use policy and prevents abuse.

Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-837: Improper Enforcement of a Single, Unique Action and get remediation guidance

Start for free and no credit card needed.