Collaborate Disseminate
Am I correct in assuming that setting the ‘access-control-allow-credentials True’ header, even if you are not including the ‘access-control-allow-origin’ header is potentially dangerous for a website? My thought here being it still allows … Continue reading CORS with access-control-allow-credentials
I’m trying to setup an nginx reverse proxy to a web product I can’t modify (it’s an appliance).
Client –> https://myapp.com –> nginx –> https://10.1.5.9
I managed to do so, but it required stripping the "Origin" and … Continue reading Should I strip the "Origin" header from client requests?
Since application is not responding with allow credentials header, an attacker can’t craft cross domain request with cookies, but I was wondering if allow origin * alone (Without credentials being true) can be exploited?
I know allow origi… Continue reading Is there an issue if application responds with access control allow origin * but there is no allow credentials header?
Anyone in the WebAppSec world is familiar with CORS as a mechanism to specify policy for when javascript is allowed to make API calls to different domains. As WebAssembly ("Wasm" – a binary web language standardized in 2019; weba… Continue reading Does CORS interact with WebAssembly the same way it does with Javascript?
What advantages does a Cookie-to-header technique give over CORS in a cross-origin request scenario?
Example scenario:
A rest API called api.com provides data to good.com. api.com has allowlisted cross-origin requests from good.com.
Some c… Continue reading Cookie-to-Header CSRF protection vs CORS
I’m testing this application which is properly validating origin header on the sever side. However, if I add any domain and the expect domain as port, application still consider this valid.
Origin: https://random-domain.com:expected-domain… Continue reading Can the Origin header have alphabetical port or parameters in a real-life scenario?
A web server is sending these headers as a response:
Access-Control-Allow-Origin: domain
Access-Control-Allow-Credentials: true
I think domain is a mistake. What are the consequences?
I can just imagine that no origin can access that res… Continue reading What consequences has Access-Control-Allow-Origin: domain?
I’ve always read: Put validations in the backend. Frontend validations are for UX, not security. This is because bad actors can trick frontend validation. But I’m having a hard time wrapping my head around how a bad actor could trick it.
I… Continue reading How do hackers trick frontend validation?
I know there are lots of posts on the same origin policy, but I specifically want to understand why it can’t be done in this simpler way.
If evil.com makes sends a request to bank.com, browsers will not add cookies (so unauthenticated). No… Continue reading A potentially simpler same origin policy?
I’m trying to mitigate postMessage exploitation like. information leakage, xss etc.. since I can’t solve this with origin (because origin might be problematic).
I might receive/send postMessage to different origins, sometimes it might be e… Continue reading How I can mitigate postMessage exploitation? [closed]