14

Recently PortSwigger (guys behind Burp Suite) came up with a blog post discussing the security risks associated with CORS mis-configurations.

http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html

In summary, the blog talks about insecure ways of enabling CORS which can allow malicious web sites to read data from a target site. Towards the end, the blog talks about a prevention mechanism involving the Vary: Origin header:

If you take a look at the 'Implementation Considerations' section in the CORS specification, you'll notice that it instructs developers specify the 'Vary: Origin' HTTP header whenever Access-Control-Allow-Origin headers are dynamically generated.

I am having a hard time understand how exactly the Vary header helps prevent CORS exploitation (XSS using cache poisoning) in a scenario where the Access-Control-Allow-Origin header is dynamically generated (controlled by client).

Shurmajee
  • 7,285
  • 5
  • 27
  • 59

1 Answers1

15

It's important to include the Vary: Origin header to prevent caching. The header indicates that the response is in some way dependent on the origin and should therefore not be served from cache for any other origin. If the header is missing, cache poisoning attacks might be possible as explained in the article by the example of XSS via a reflected custom header. A missing Vary header doesn't create a vulnerability on its own.

Arminius
  • 43,922
  • 13
  • 140
  • 136
  • 1
    So this control would only prevent the cache poisoning attacks. There would still be risk associated with accepting arbitrary origins for cross domain data access. Is my understanding correct? – Shurmajee Feb 23 '17 at 07:58
  • @Shurmajee Yes! – Arminius Feb 23 '17 at 14:28
  • "should therefore not be served from cache for any other origin" - does it mean that if my frontend app runs on a different domain, and the browser makes requests to this endpoint on the frontend app's behalf, the responses would not get cached? even if Cache-Control headers are set correctly? – gaurav5430 Jun 22 '19 at 17:35
  • 1
    @Arminius Would this attack not be mitigated by the proper cache-control directives? – Rice Jul 19 '19 at 16:08