#140 | pen17 – Reminder on CORS headers

Hi everybody, this week I’ll be traveling for work, so I won’t have a lot of time to do lenghty articles. The subject of the day is gonna be security again, more specifically about web and CORS.


CORS or Cross-Origin Resource Sharing is a mechanism using HTTP headers to specify that an application running at one origin can have the permission to access selected resources from a server with a different origin.


Interesting headers

Here is a list of interesting used to enable CORS with your HTTP server:

  • Access-Control-Allow-Origin: Allows a domain to do request to your server and recover data.
  • Access-Control-Allow-Methods: Will block CORS to some specific methods. Generally it is an output of OPTIONS
  • Access-Control-Allow-Headers: Same thing for headers
  • Access-Control-Allow-Credentials: This header will allow sending credentials, such as a cookie or an Authorization header. This setting will be voided if Allow-Origin is set to * or not set.


Attacking CORS

To exploit misconfigured CORS, such as Access-Control-Allow-Credentials, generally you’ll have to have a specific rule for your server. The best way to have one easily is to try to send the “Origin:” header with a domain and see if by any change it gets reflected in the output.

You can also setup the Origin header to “null” can be exploited as well, due to the usage of an iframe that will set the null origin.

<iframe sandbox="allow-scripts allow-top-navigation allow-forms" src='data:text/html,<script>*cors stuff here*</script>’></iframe>


Leave a Reply

Your email address will not be published.