Skip to content

CWE-346: Origin Validation Error

Overview

Origin validation errors occur when applications fail to properly verify the source of requests, accepting cross-origin requests without validation, trusting Referer headers, or misconfiguring CORS, enabling CSRF attacks, cross-site data theft, and unauthorized cross-domain access.

OWASP Classification

A07:2025 - Authentication Failures

Risk

High: Missing origin validation enables CSRF attacks, cross-origin data exfiltration, unauthorized API access from malicious sites, WebSocket hijacking, and clickjacking. Attackers can forge requests appearing to come from trusted origins.

Remediation Steps

Core principle: Validate the origin of security-relevant data; bind it to a trusted identity/channel before acting on it.

Locate the origin validation error in your application

  • Identify missing origin checks: Check your scan results for endpoints that accept cross-origin requests without validation (CORS misconfiguration, missing CSRF tokens, no Origin/Referer validation)
  • Find vulnerable endpoints: Locate state-changing operations (POST, PUT, DELETE) that don't verify request origin (form submissions, API calls, WebSocket connections)
  • Check CORS configuration: Look for Access-Control-Allow-Origin: *, reflected Origin headers without validation, Allow-Credentials: true with wildcards
  • Trace request flow: Follow how cross-origin requests are processed from receipt → origin check (or lack thereof) → action execution
  • Assess attack impact: Determine if attackers can perform CSRF (submit forms as victim), exfiltrate data (cross-origin API calls), or hijack WebSockets

Implement proper CORS configuration (Primary Defense)

  • Allowlist specific allowed origins: Configure Access-Control-Allow-Origin with exact domains (NOT wildcard *)
  • Validate Origin header server-side: Check incoming Origin header against allowlist before setting CORS headers
  • Set Access-Control-Allow-Credentials carefully: Only set to true for trusted origins, never combine with *
  • Don't reflect Origin header without validation: Don't do Access-Control-Allow-Origin: ${request.getHeader("Origin")}
  • Example: Access-Control-Allow-Origin: https://trusted-app.example.com

Use anti-CSRF tokens for state-changing operations

  • Synchronizer token pattern: Generate unique token per session, include in forms/AJAX requests, validate on server
  • Double-submit cookie pattern: Set CSRF token in cookie and require same value in request parameter
  • SameSite cookie attribute: Set SameSite=Strict or SameSite=Lax on session cookies
  • Validate tokens on state-changing operations: POST, PUT, DELETE, PATCH requests must include valid CSRF token
  • Framework support: Use built-in CSRF protection (Django CSRF middleware, Spring Security CSRF, Express csurf)

Validate request origin (Defense in Depth)

  • Check Origin header: Modern browsers send Origin header for cross-origin requests
  • Validate Referer header as secondary check: Fall back to Referer if Origin missing (but note Referer can be suppressed)
  • Reject requests with missing/invalid origins: For sensitive operations, require valid Origin or Referer
  • Don't rely solely on Referer: Referer can be suppressed by browser settings or proxies
  • Combine with CSRF tokens: Origin validation alone is insufficient
  • SameSite=Strict (most secure): Cookie only sent for same-site requests, prevents all CSRF
  • SameSite=Lax (balance security/usability): Cookie sent for top-level navigation, blocks CSRF on POST/API
  • Apply to session cookies: All authentication and session cookies should have SameSite
  • Combine with CSRF tokens: Use SameSite as defense-in-depth with token validation
  • Browser support: Check compatibility, provide fallback for older browsers

Test origin validation thoroughly

  • Test cross-origin requests from untrusted domain (should be rejected)
  • Test CSRF attack: submit form from attacker site to victim site (should fail without token)
  • Verify CORS headers only allow trusted origins
  • Test with missing Origin/Referer headers (sensitive operations should reject)
  • Verify SameSite cookies prevent cross-site requests
  • Test CSRF token validation (requests without token should fail)
  • Re-scan with security scanner to confirm the issue is resolved

Common Vulnerable Patterns

  • Access-Control-Allow-Origin: *
  • Reflecting Origin header without validation
  • No CSRF token validation
  • Trusting Referer header alone
  • Missing SameSite on session cookies

Additional Resources