http://normal-website.com/example/example.html
:http://normal-website.com/example/
http://normal-website.com/example2/
https://normal-website.com/example/
http://en.normal-website.com/example/
http://www.normal-website.com/example/
http://normal-website.com:8080/example/
Access-Control-Allow-Origin
HeaderAccess-Control-Allow-Origin
allows for multiple origins, or the value null
, or the wildcard *
. However, no browser supports multiple origins and there are restrictions on the use of the wildcard *
.(The wildcard can only be used alone, this will fail Access-Control-Allow-Origin: https://*.normal-website.com
and it cannot be used with Access-Control-Allow-Credentials: true)Origin
header added by the browser.Access-Control-Allow-Credentials
HeaderAccess-Control-Allow-Credentials
header to true
.true
then the browser will send credentials (cookies, authorization headers or TLS client certificates).OPTIONS
method, and the CORS protocol necessitates an initial check on what methods and headers are permitted prior to allowing the cross-origin request. This is called the pre-flight check. The server returns a list of allowed methods in addition to the trusted origin and the browser checks to see if the requesting website's method is allowed.PUT
method together with a custom request header called Special-Request-Header
:Access-Control-Allow-Headers
Allowed headersAccess-Control-Expose-Headers
Access-Control-Max-Age
Defines a maximum timeframe for caching the pre-flight response for reuseAccess-Control-Request-Headers
The header the cross-origin request wants to sendAccess-Control-Request-Method
The method the cross-origin request wants to useOrigin
Origin of the cross-origin request (Set automatically by the browser)Access-Control-Allow-Credentials
to be set to true
because this will allow the browser to send the credentials and read the response. Without credentials, many attacks become irrelevant; it means you can't ride on a user's cookies, so there is often nothing to be gained by making their browser issue the request rather than issuing it yourself.Origin
in Access-Control-Allow-Origin
Access-Control-Allow-Origin
**header dynamically, and in more than one occasion they just copy the value of the Origin header.attackervictimdomain.com
to steal the confidential information.null
Originnull
is a special value for the Origin header. The specification mentions it being triggered by redirects, and local HTML files. Some applications might whitelist the null
origin to support local development of the application.
This is nice because several application will allow this value inside the CORS and any website can easily obtain the null origin using a sandboxed iframe:.-
. Then, something like victimdomain.com{.attacker.com
inside the Origin header will be interpreted by the regexp as if the domain was victimdomain.com
but the browser (in this case Safari supports this character in the domain) will access the domainattacker.com
._
character (in subdomains) is not only supported in Safari, but also in Chrome and Firefox!sub.requester.com
is vulnerable to XSS. The user can exploit provider.com
by using cross-site scripting attack method.GET / HTTP/1.1
Origin: z[0x0d]Content-Type: text/html; charset=UTF-7
HTTP/1.1 200 OK
Access-Control-Allow-Origin: z
Content-Type: text/html; charset=UTF-7
script
tag, the SOP doesn’t apply, because scripts have to be able to be included cross-domain. An attacker can thus read everything that was included using the script
tag.callback
parameter in the request. Maybe the page was prepared to send the data as JSONP. In that case the page will send back the data with Content-Type: application/javascript
which will bypass the CORS policy.Access-Control-Allow-Origin
but notice that the credentials to the final victim won't be sent as you will be contacting a different domain (the one that will make the request for you).e.origin === window.origin
by creating an iframe and from it opening a new window. More information in the following page:Singularity of Origin
is a tool to perform DNS rebinding attacks. It includes the necessary components to rebind the IP address of the attack server DNS name to the target machine's IP address and to serve attack payloads to exploit vulnerable software on the target machine.