Cross-Origin Resource Abuse Detection
Detect and block MCP tool calls that access resources outside their declared origin scope — addressing OWASP MCP Top 10 #4. ShieldAgent evaluates the target of every tool call against per-tool origin allowlists and flags violations before they reach upstream servers.
The Threat
OWASP MCP Top 10 #4 (Cross-Origin Resource Abuse) describes scenarios where an AI agent is manipulated — through prompt injection, a compromised tool response, or a malicious task — into calling an MCP tool with parameters that target a resource it was never intended to reach.
SSRF via MCP tools
criticalCross-tenant resource access
highDNS rebinding
highUnauthorized scheme usage
mediumHow ShieldAgent Detects It
For each MCP tool call request that passes through the proxy, ShieldAgent extracts all URL-shaped values from the tool arguments and evaluates them against the tool's configured origin scope. Evaluation runs in the policy pipeline before the request reaches the upstream MCP server.
Abuse patterns detected
ShieldAgent evaluates every URL-shaped argument against the tool's configured origin scope, blocking calls that target private networks, cloud infrastructure endpoints, disallowed URI schemes, or origins outside the configured allowlist. DNS lookups detect rebinding attacks where an allowlisted hostname resolves to a restricted address.
Configuration
Origin scope is configured per tool in your ShieldAgent policy YAML. The global settings below control detection defaults when no per-tool scope is defined.
Global settings
| Setting | Default | Description |
|---|---|---|
| Cross-origin detection | true | Enable cross-origin resource abuse detection. |
| Block private IPs | true | Block tool calls targeting private/loopback IP ranges by default. |
| Block metadata endpoints | true | Block calls to known cloud metadata endpoints. |
| DNS resolution | true | Resolve DNS to detect rebinding. Disable only if your proxy cannot perform DNS lookups. |
| Default action | block | Action when a violation is detected: block or alert. |
Per-tool origin scope (policy YAML)
tools:
- name: fetch_url
origin_scope:
allowed_origins:
- "https://api.example.com"
- "https://cdn.example.com"
allowed_schemes:
- "https"
block_private_ips: true
block_metadata_endpoints: trueAudit Events & API
Every violation is persisted as a cross_origin_abuse audit event including the offending argument, the detected pattern, and the resolved IP (when DNS rebinding is suspected).
{
"id": "aev_...",
"agentId": "agt_...",
"tenantId": "ten_...",
"eventType": "cross_origin_abuse",
"toolName": "fetch_url",
"action": "block",
"riskScore": 88,
"details": {
"offendingArgument": "url",
"offendingValue": "http://192.168.1.1/admin",
"resolvedIp": "192.168.1.1",
"allowedOrigins": ["https://api.example.com"]
},
"timestamp": "2026-04-25T10:00:00.000Z"
}API endpoints
Policy Integration
Use security.crossOrigin.detected as a policy condition to block tool calls that violate origin controls:
{
"name": "Block cross-origin resource abuse",
"priority": 3,
"conditions": [
{ "field": "security.crossOrigin.detected", "op": "eq", "value": true }
],
"action": "block",
"response": {
"code": 403,
"message": "Cross-origin resource access blocked by security policy."
}
}