Origin Spoof Access Restriction Bypass

Manieendar Mohan
Published on
29 Jun 2018
1 min read

The Origin request header shows from where the fetch originates from. That is, the origin headers are used by load balancers or proxies to identify the source IP of the user. The header includes the server name only. The header is sent with Cross-Origin Resource Sharing requests along with POST requests. An origin header doesn’t disclose the whole path. A server is considered to be vulnerable to Access Restriction Bypass using origin spoof attack because of its poorly implemented access restrictions based on the originating IP address alone. Origin headers of the web application contain the public IP address of the client and as a result, the attackers can spoof the IP address and can gain access to restricted pages.


The below code is an example of Origin Spoof Access:-

        Origin: ""
        Origin: <scheme> "://" <hostname> [ ":" <port> ]



The impact include:-

  • Denial of access attacks.
  • Complete host takeover.
  • Loss of sensitive data.

Mitigation / Precaution

  • Beagle recommends the following fixes-
  • Try not to use the origin header to validate the client’s access.
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Manieendar Mohan
Manieendar Mohan
Cyber Security Lead Engineer
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment