Detections
Analytics

Access Restriction Bypass Via Origin Spoof

medium Web App Scanning Plugin ID 98096

Language:

Synopsis

Access Restriction Bypass Via Origin Spoof

Description

Origin headers are utilised by proxies and/or load balancers to track the originating IP address of the client.

As the request progresses through a proxy, the origin header is added to the existing headers, and the value of the client's IP is then set within this header. Occasionally, poorly implemented access restrictions are based off of the originating IP address alone.

For example, any public IP address may be forced to authenticate, while an internal IP address may not.

Because this header can also be set by the client, it allows cyber-criminals to spoof their IP address and potentially gain access to restricted pages.

Scanner discovered a resource that it did not have permission to access, but been granted access after spoofing the address of localhost (127.0.0.1), thus bypassing any requirement to authenticate.

Solution

Remediation actions may be vastly different depending on the framework being used, and how the application has been coded. However, the origin header should never be used to validate a client's access as it is trivial to change.

Plugin Details

Severity: Medium

ID: 98096

Type: remote

Published: 3/31/2017

Updated: 8/24/2022

Scan Template: api, basic, full, pci, scan

Risk Information

VPR

Risk Factor: Low

Score: 2.2

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS Score Source: Tenable

Reference Information