0

An application I'm working on responds to a wildcard Origin header by setting the Access-Control-Allow-Origin to subdomain.app.com if ending with .app.com.

However, if I append .app.com to a GET variable, as below:

Origin: example.com?q=.app.com

it responds with the following:

Access-Control-Allow-Origin: example.com?q=.app.com

This is vulnerable if browsers can be configured to pass the GET variable, or entire url.

I'm wondering if any browsers send the Origin header along with the entire url, or if JavaScript can be configured to allow this. From my testing Chrome / Firefox set the Origin header to the tld only, does anyone know if this configuration is vulnerable?

0lly
  • 56
  • 4
  • Related: https://security.stackexchange.com/questions/244526/is-it-possible-for-origin-header-to-have-alphaebtical-port-or-parameters-in-real – jub0bs Sep 09 '21 at 15:43

1 Answers1

1

Origin is a Forbidden header name, and standards compliant user agent should only send the domain name in the origin header. They cannot be modified programmatically in standards compliant browsers. Note that user agents that doesn't try to be standards compliant, such as curl, or very old browsers before the specification was written, may not enforce this restriction.

Lie Ryan
  • 31,089
  • 6
  • 68
  • 93
  • Seems that browsers enforce: `Origin: "://" [ ":" ]`, so I guess the answer to my question is it isn't vulnerable. – 0lly Dec 06 '17 at 02:05