Origin Spoof Access Restriction Bypass

OWASP 2013-A5 OWASP 2017-A6 OWASP 2021-A5 OWASP 2019-API7 CWE-732 WASC-15

The Origin request header shows from where the fetch originates from. That is, the origin headers are used by load balancers or proxies to identify the source IP of the user. The header includes the server name only. The header is sent with Cross-Origin Resource Sharing requests along with POST requests. An origin header doesn’t disclose the whole path. A server is considered to be vulnerable to Access Restriction Bypass using origin spoof attack because of its poorly implemented access restrictions based on the originating IP address alone. Origin headers of the web application contain the public IP address of the client and as a result, the attackers can spoof the IP address and can gain access to restricted pages.


The below code is an example of Origin Spoof Access:-

        Origin: ""
        Origin: <scheme> "://" <hostname> [ ":" <port> ]



The impact include:-

  • Denial of access attacks.
  • Complete host takeover.
  • Loss of sensitive data.

Mitigation / Precaution

  • Beagle recommends the following fixes-
  • Try not to use the origin header to validate the client’s access.

Latest Articles