https://soffensive.github.io/tags/web-security/Recent content in Web Security on soffensive blogHugoenMon, 23 Apr 2018 08:04:00 -0700https://soffensive.github.io/posts/web-app-sec/2018-04-23-exploiting-misconfigured-cors-null-origin/Mon, 23 Apr 2018 08:04:00 -0700https://soffensive.github.io/posts/web-app-sec/2018-04-23-exploiting-misconfigured-cors-null-origin/<p>Almost two years ago, in October 2016, James Kettle published an excellent <a href="http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html" target="_blank" rel="noopener noreffer ">blog post</a> about the various types of Cross-Origin Resource Sharing (CORS) misconfigurations and how they can be exploited.</p> <p>Recently, I encountered a web application that allowed for two-way interaction with the so-called null origin. More precisely, when sending an HTTP request specifying the header:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-http" data-lang="http"><span class="line"><span class="cl"><span class="err">Origin: null </span></span></span></code></pre></td></tr></table> </div> </div><p>the server would respond with the following two HTTP headers:</p>