Exploiting misconfigured CORS Null Origin
Almost two years ago, in October 2016, James Kettle published an excellent blog post about the various types of Cross-Origin Resource Sharing (CORS) misconfigurations and how they can be exploited.
Recently, I encountered a web application that allowed for two-way interaction with the so-called null origin. More precisely, when sending an HTTP request specifying the header:
the server would respond with the following two HTTP headers:
This configuration allows us to issue arbitrary requests to the application as long as we can set the Origin header to null. According to Kettle’s blog post, it can be exploited by issuing the request from within an iframe using a data-url as follows:
Although the code above gives a hint to the right direction, it omits a complete proof of concept. I struggled to find code that would work across the browsers Chrome and Firefox, but eventually succeeded with the following snippet:
As soon as the page from above is opened, a request to
https://vuln-app.com/confidential should be issued with an Origin: null HTTP header and the corresponding HTTP response should be shown in the browser console.