logo

Origin Validation Error

Draft Class
Structure: Simple
Description

This vulnerability occurs when an application fails to properly confirm the true origin of incoming data or communication, allowing attackers to spoof their source.

Extended Description

Origin Validation Errors happen because applications often trust metadata like IP addresses, DNS names, or HTTP headers that can be easily forged. Attackers exploit this by impersonating legitimate systems, tricking the application into accepting malicious data as if it came from a trusted source. This is a fundamental flaw in the trust boundary of the system. To prevent this, developers must implement robust verification mechanisms that rely on unforgeable credentials, such as cryptographic signatures or secure tokens, rather than easily spoofed information. Always validate the origin at the point of trust establishment and consistently enforce this check for all subsequent interactions.
Common Consequences 1
Scope: Access ControlOther

Impact: Gain Privileges or Assume IdentityVaries by Context

An attacker can access any functionality that is inadvertently accessible to the source.
Demonstrative Examples 2

ID : DX-112

This Android application will remove a user account when it receives an intent to do so:

Code Example:

Bad
Java
java
This application does not check the origin of the intent, thus allowing any malicious application to remove a user. Always check the origin of an intent, or create an allowlist of trusted applications using the manifest.xml file.

ID : DX-109

These Android and iOS applications intercept URL loading within a WebView and perform special actions if a particular URL scheme is used, thus allowing the Javascript within the WebView to communicate with the application:

Code Example:

Bad
Java


// Android*
@Override
public boolean shouldOverrideUrlLoading(WebView view, String url){
```
if (url.substring(0,14).equalsIgnoreCase("examplescheme:")){
if(url.substring(14,25).equalsIgnoreCase("getUserInfo")){
writeDataToView(view, UserData);
return false;
}
else{
return true;
}
}
}


Code Example:
Bad
Objective-C


// iOS*
-(BOOL) webView:(UIWebView *)exWebView shouldStartLoadWithRequest:(NSURLRequest *)exRequest navigationType:(UIWebViewNavigationType)exNavigationType
{
```
NSURL *URL = [exRequest URL];
if ([[URL scheme] isEqualToString:@"exampleScheme"])
{
NSString *functionString = [URL resourceSpecifier];
if ([functionString hasPrefix:@"specialFunction"])
{


objective-c
A call into native code can then be initiated by passing parameters within the URL:
Code Example:
Attack
JavaScript
javascript
Because the application does not check the source, a malicious website loaded within this WebView has the same access to the API as a trusted site.
  
Observed Examples 10
CVE-2000-1218DNS server can accept DNS updates from hosts that it did not query, leading to cache poisoning
CVE-2018-6074Browser does not set Mark-of-the-Web (MotW) for a downloaded .EXE file if the name is close to the maximum path length, preventing recording of a zone identifier in the filename
CVE-2025-0411Zip file extraction program does not propagate Mark-of-the-Web (MotW) metadata to files that are extracted from an Internet-downloaded Zip file
CVE-2025-46652Zip file extraction program does not propagate Mark-of-the-Web (MotW) metadata to files that are extracted from an Internet-downloaded Zip file
CVE-2005-0877DNS server can accept DNS updates from hosts that it did not query, leading to cache poisoning
CVE-2001-1452DNS server caches glue records received from non-delegated name servers
CVE-2005-2188user ID obtained from untrusted source (URL)
CVE-2003-0174LDAP service does not verify if a particular attribute was set by the LDAP server
CVE-1999-1549product does not sufficiently distinguish external HTML from internal, potentially dangerous HTML, allowing bypass using special strings in the page title. Overlaps special elements.
CVE-2003-0981product records the reverse DNS name of a visitor in the logs, allowing spoofing and resultant XSS.
  
References 1
A Taxonomy of Security Faults in the UNIX Operating System
Taimur Aslam
01-08-1995
https://cwe.mitre.org/documents/sources/ATaxonomyofSecurityFaultsintheUNIXOperatingSystem%5BAslam95%5D.pdf(2024-11-17)
ID: REF-324
 
  
    
 
 
Applicable Platforms 
 
 
 
 
 
Languages:
 
 
 Not Language-Specific : Undetermined 
  
  
 
 
 
  
 
 
Modes of Introduction 
 
 
 
 
 
  Architecture and Design  
 
  Implementation  
 
 
 
  
Related Attack Patterns 
        
 
 
Related Weaknesses 
 
 
 
 
  ChildOf:
 Insufficient Verification of Data Authenticity (CWE-345) 
  ChildOf:
 Insufficient Verification of Data Authenticity (CWE-345) 
  ChildOf:
 Improper Access Control (CWE-284) 
 
 
 
 
Taxonomy Mapping 
  • PLOVER
  • ISA/IEC 62443
  • ISA/IEC 62443
  • ISA/IEC 62443
  • ISA/IEC 62443
  • ISA/IEC 62443
  • ISA/IEC 62443
  
Notes 
MaintenanceThis entry has some significant overlap with other CWE entries and may need some clarification. See terminology notes.
TerminologyThe "Origin Validation Error" term was originally used in a 1995 thesis [REF-324]. Although not formally defined, an issue is considered to be an origin validation error if either (1) "an object [accepts] input from an unauthorized subject," or (2) "the system [fails] to properly or completely authenticate a subject." A later section says that an origin validation error can occur when the system (1) "does not properly authenticate a user or process" or (2) "does not properly authenticate the shared data or libraries." The only example provided in the thesis (covered by OSVDB:57615) involves a setuid program running command-line arguments without dropping privileges. So, this definition (and its examples in the thesis) effectively cover other weaknesses such as Improper Authentication (Improper Authentication), Improper Authorization (Improper Authorization), and Execution with Unnecessary Privileges (Execution with Unnecessary Privileges). There appears to be little usage of this term today, except in the SecurityFocus vulnerability database, where the term is used for a variety of issues, including web-browser problems that allow violation of the Same Origin Policy and improper validation of the source of an incoming message.