CORS - Projectbaseline

Uploaded by

Ritu Mane

0% found this document useful (0 votes)

10 views3 pages

tets

Copyright

Available Formats

DOCX, PDF, TXT or read online from Scribd

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Report this Document

tets

Copyright:

Available Formats

Download as DOCX, PDF, TXT or read online from Scribd

Flag for inappropriate content

0% found this document useful (0 votes)

10 views3 pages

CORS - Projectbaseline

Uploaded by

Ritu Mane

tets

Copyright:

Available Formats

Download as DOCX, PDF, TXT or read online from Scribd

Flag for inappropriate content

Jump to Page

You are on page 1of 3

Search inside document

CORS (Cross-Origin Resource Sharing) origin

validation failure
URL:
https://dashboard.projectbaseline.com/

Attack Details

Access-Control-Allow-Origin: https://www.example.com
Access-Control-Allow-Credentials: true
Any origin is accepted (arbitrary Origin header values are reflected in
Access-Control-Allow-Origin response headers).

Vulnerability Description

CORS (Cross-Origin Resource Sharing) defines a mechanism to enable

client-side cross-origin requests. This application is using CORS in an
insecure way.

The web application fails to properly validate the Origin header (check Details
section for more information) and returns the header Access-Control-Allow-
Credentials: true.

In this configuration any website can issue requests made with user

credentials and read the responses to these requests. Trusting arbitrary
origins effectively disables the same-origin policy, allowing two-way interaction
by third-party web sites.
Discovered by CORS configuration assessment (active)

HTTP Request
GET / HTTP/1.1
Origin: https://www.example.com
Cookie: GCP_IAP_XSRF_NONCE_FeTJWj9XyNnzeTgLi3VmKQ=1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Host: dashboard.projectbaseline.com
Connection: Keep-alive

HTTP Response
HTTP/1.1 302 Found
Set-Cookie: GCP_IAP_XSRF_NONCE_TvnSz9-j4uCCgRKqnt2wQQ=1; expires=Tue, 29-Nov-
2022 07:14:16 GMT; path=/; Secure; HttpOnly; SameSite=none
Location: https://accounts.google.com/o/oauth2/v2/auth?client_id=747710734643-
41v241mk67vn9ttauqefa5i5ms5b6fvt.apps.googleusercontent.com&response_type=code
&scope=openid+email&redirect_uri=https://iap.googleapis.com/v1/oauth/
clientIds/747710734643-
41v241mk67vn9ttauqefa5i5ms5b6fvt.apps.googleusercontent.com:handleRedirect&cod
e_challenge=jZmFdAqVkaPBn_g3RsaVLOkWNz5bunpFEbOzzQmVxMg&code_challenge_method=
S256&cred_ref=true&state=eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InVYOGFfU
SJ9.eyJyZnAiOiJXcVp5YmRtZVRCbTJkQnM5SU03YkF0UTZmeXFlR080SnhLbk1LWTA3UVFrIiwiaX
NzIjoiaHR0cHM6Ly9jbG91ZC5nb29nbGUuY29tL2lhcCIsImF1ZCI6Ijc0NzcxMDczNDY0My00MXYy
NDFtazY3dm45dHRhdXFlZmE1aTVtczViNmZ2dC5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSIsIn
RhcmdldF91cmkiOiJodHRwczovL2Rhc2hib2FyZC5wcm9qZWN0YmFzZWxpbmUuY29tLz9nY3AtaWFw
LW1vZGU9QVVUSEVOVElDQVRJTkciLCJvcmlnaW5fdXJpIjoiaHR0cHM6Ly9kYXNoYm9hcmQucHJvam
VjdGJhc2VsaW5lLmNvbS8iLCJpYXQiOjE2Njk3MDU0NTYsImV4cCI6MTY2OTcwNjA1NiwiZW5jcnlw
dGVkX2NvZGVfdmVyaWZpZXIiOiJcdTAwMDDNIFx1MDAxZFx1MDAwN_p89F6-
mPyEaMZpxYJRV3NcdTAwMTglWymRMJ6RjFx1MDAxY1xu_Hi66Fx1MDAwMbnmkdH7_yyfupZAdqfyOV
x1MDAyNjbNXHUwMDFjSVx1MDAxZuBcdTAwM2NNPeNpN0RcdTAwMTWeaUWjNfGHgPpNYVx1MDAxNlx1
MDAxZSJ9.M01FQCCPBjmvHeqNlkrt3vDCIK7Y7eV1_h33glvZmCtArkApZBV0IOz3BZgv00dE-
7OlhKcUPL7ykT4hIgDgcQ
X-Goog-IAP-Generated-Response: true
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://www.example.com
Access-Control-Allow-Headers: X-Requested-With
Date: Tue, 29 Nov 2022 07:04:17 GMT
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

The impact of this vulnerability

Any website can issue requests made with user credentials and read the
responses to these requests.

How to fix this vulnerability

Allow only selected, trusted domains in the Access-Control-Allow-Origin

header.

Classification

CWE
CWE-942
CVSS
Base Score: 5.4 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Unchanged
Confidentiality: Low
Integrity: Low
Availability: None

Web References

 CORS Security Considerations

 WordPress REST API Handbook FAQ: Why is the REST API not verifying
the incoming Origin header?

SQLMX Vs Oracle
Document49 pages
SQLMX Vs Oracle
Paul Chin
No ratings yet
Armor Rule Tuning
Document12 pages
Armor Rule Tuning
Rizky 'Kimun' Rachmanto Prastyo
No ratings yet
MMW Module 4 - Statistics - Data Management
Document4 pages
MMW Module 4 - Statistics - Data Management
Erille Julianne (Rielianne)
100% (1)
APDevDW 03 Filter Route
Document15 pages
APDevDW 03 Filter Route
Wolverine
No ratings yet
Verilog System Tasks and Functions
Document16 pages
Verilog System Tasks and Functions
dharmendraonline
No ratings yet
R Studio
Document25 pages
R Studio
N K
No ratings yet
FA DBMS Objective FINAL
Document16 pages
FA DBMS Objective FINAL
Pramod Srivastava
No ratings yet
Code Together-2
Document43 pages
Code Together-2
Eedula Ganeshreddy
No ratings yet
Nilesh Chouibisa
Document15 pages
Nilesh Chouibisa
Dhruv Kanthaliya
No ratings yet
Trellix Application Control For Windows Essentials
Document10 pages
Trellix Application Control For Windows Essentials
Lyu Sey
No ratings yet
DPV 4HP2 Commax
Document7 pages
DPV 4HP2 Commax
Anonymous 4aChpF1hZ
No ratings yet
Electrical Design Engineer & Protection Engineer
Document2 pages
Electrical Design Engineer & Protection Engineer
Ayansh patnaik
No ratings yet
ELV Draftsman 2023
Document3 pages
ELV Draftsman 2023
Praveen Raj
No ratings yet
Works - Passleader.pcnse - pdf.2022 Oct 25.by - Toby.94q.vce
Document25 pages
Works - Passleader.pcnse - pdf.2022 Oct 25.by - Toby.94q.vce
Youssef Bouanani
No ratings yet
DBMS PBL
Document36 pages
DBMS PBL
palle sureshnaidu
No ratings yet
Session1e PTActA ACL
Document4 pages
Session1e PTActA ACL
Không Trân
No ratings yet
EnviroConnect Server API For TSPCB Revised
Document16 pages
EnviroConnect Server API For TSPCB Revised
Naga Raju
No ratings yet
JavaScript Built in Object
Document4 pages
JavaScript Built in Object
Bhavik Sanghar
No ratings yet
Nums 2012 20 1
Document113 pages
Nums 2012 20 1
Danish
No ratings yet
Qkpdrbwjxyf4tknupdi3r2hq PDF
Document1 page
Qkpdrbwjxyf4tknupdi3r2hq PDF
tanya yadav
No ratings yet
4.4-Amazon API Gateway - Digital Cloud Training
Document28 pages
4.4-Amazon API Gateway - Digital Cloud Training
dsdfr
No ratings yet
Asia 15 Prado Browsers Gone Wild
Document58 pages
Asia 15 Prado Browsers Gone Wild
Priest Slave
No ratings yet
Car Showroom Final Report
Document41 pages
Car Showroom Final Report
Anagha M
No ratings yet
Aws MCQ W3school PDF
Document16 pages
Aws MCQ W3school PDF
adilmohdkhan1089
No ratings yet
SFM Stock Market Analysis.
Document34 pages
SFM Stock Market Analysis.
PRINCE SINGH RAJPUT Student, Jaipuria Indore
No ratings yet
Syllabus (4 Years)
Document101 pages
Syllabus (4 Years)
A SAI KIRAN
No ratings yet
Elective I Java Programming Notes
Document219 pages
Elective I Java Programming Notes
somany12
No ratings yet
1.5.1 Productivity and Costs Practice Activity
Document5 pages
1.5.1 Productivity and Costs Practice Activity
stjepan
No ratings yet
Study Material by M. Shadab Khan: Queuing Theory
Document42 pages
Study Material by M. Shadab Khan: Queuing Theory
rebka mesfin
No ratings yet
Pcnsa V17.95
Document72 pages
Pcnsa V17.95
Clever Romani Ayala
No ratings yet
Java Interview Questions and Answers 2022
Document36 pages
Java Interview Questions and Answers 2022
sumit mali
No ratings yet
Core Spring 3.0 Certification Mock Exam: Container
Document10 pages
Core Spring 3.0 Certification Mock Exam: Container
iyy u
No ratings yet
Acronyms
Document4 pages
Acronyms
Anastasia Zaitsev
No ratings yet
Department of Networking and Cyber Security
Document49 pages
Department of Networking and Cyber Security
michael kankam
No ratings yet
Rahul
Document100 pages
Rahul
Priyanka mestry
No ratings yet
Cloud Foundry
Document14 pages
Cloud Foundry
Aditya Bhuyan
No ratings yet
NASA JPL Coding Standard Java
Document40 pages
NASA JPL Coding Standard Java
merlin444
No ratings yet
20BET1008 Final Report Webdevlopment
Document30 pages
20BET1008 Final Report Webdevlopment
Aniket Kainth
No ratings yet
ETI - PPT (Application Hacking) (Autosaved)
Document7 pages
ETI - PPT (Application Hacking) (Autosaved)
Shivani
No ratings yet
SRS Hospital
Document8 pages
SRS Hospital
Axid
No ratings yet
1.1 Solution PDF
Document165 pages
1.1 Solution PDF
coolboyasif
No ratings yet
Lecture - Software Testing and Applications
Document30 pages
Lecture - Software Testing and Applications
Karan Patel
No ratings yet
Log
Document2,030 pages
Log
E Din Din
No ratings yet
Geeks!
Document7 pages
Geeks!
Shyam Bambal
No ratings yet
F
Document11 pages
F
Rishab Ramchurn
No ratings yet
145 Manish Valecha
Document66 pages
145 Manish Valecha
Meet Gandhi
No ratings yet
Value - Creation - and - The - Impact - (CD)
Document27 pages
Value - Creation - and - The - Impact - (CD)
Jummy BMS
No ratings yet
Interview Questions and Answer
Document29 pages
Interview Questions and Answer
Jayyant Chaudhari
No ratings yet
SSL Insight and Load Balancing For Thunder ADC: Deployment Guide
Document52 pages
SSL Insight and Load Balancing For Thunder ADC: Deployment Guide
Phuong Tran
No ratings yet
Azure Functions Intro
Document23 pages
Azure Functions Intro
swapnilr85
No ratings yet
Section 1. Letter of Invitation / / - W 1-/: Name & Address Consultant
Document125 pages
Section 1. Letter of Invitation / / - W 1-/: Name & Address Consultant
SalmanRandhawa
No ratings yet
Notes FUNCTION, Python Kotlin Java
Document2 pages
Notes FUNCTION, Python Kotlin Java
Hirasya Sugiharto
No ratings yet
PHP Basics 2020
Document16 pages
PHP Basics 2020
Jaye 99
No ratings yet
Appendix 1
Document35 pages
Appendix 1
Purvi Sharma
No ratings yet
CCS316 Examination Paper
Document5 pages
CCS316 Examination Paper
21UG0613 HANSANI L.A.K.
No ratings yet
String Programs
Document15 pages
String Programs
Ravikiran Kadam
No ratings yet
Innov - Rapid MicroLearning Solutions
Document30 pages
Innov - Rapid MicroLearning Solutions
akshy28apr
No ratings yet
Diabetes Detection System
Document35 pages
Diabetes Detection System
Mahadev Sakhare
No ratings yet
Vuln Scan
Document12 pages
Vuln Scan
Brijendra Pratap Singh
No ratings yet
Exploiting Misconfigured CORS
Document10 pages
Exploiting Misconfigured CORS
Winning Whales
No ratings yet
Cross-Site Request Forgery: Collin Jackson
Document31 pages
Cross-Site Request Forgery: Collin Jackson
Ade Haryanto Sagala
No ratings yet
Exploiting The Java Deserialization Vulnerability
Document17 pages
Exploiting The Java Deserialization Vulnerability
rberrospi
No ratings yet
Usage Procedure Logging PDF
Document4 pages
Usage Procedure Logging PDF
yassien
No ratings yet
Demystifying Solution Manager 7.1 - Configuration Focus On Diagnostics Roland Hoeller SAP PDF
Document106 pages
Demystifying Solution Manager 7.1 - Configuration Focus On Diagnostics Roland Hoeller SAP PDF
prabhatiu
No ratings yet
Memory Management For Som
Document8 pages
Memory Management For Som
Ritu Mane
No ratings yet
Test
Document1 page
Test
Ritu Mane
No ratings yet
Errors During Support Pack - 1440998551920
Document9 pages
Errors During Support Pack - 1440998551920
Ritu Mane
No ratings yet
ADD-On Installation 1441557250222
Document15 pages
ADD-On Installation 1441557250222
Ritu Mane
No ratings yet
Ha 100
Document1 page
Ha 100
Ritu Mane
No ratings yet
Mi Sale Script
Document1 page
Mi Sale Script
Ritu Mane
No ratings yet
Metconv
Document5 pages
Metconv
Ritu Mane
No ratings yet
Upgrade Notes
Document1 page
Upgrade Notes
Ritu Mane
No ratings yet
Ssap
Document1 page
Ssap
Ritu Mane
No ratings yet
Fill Grpid
Document1 page
Fill Grpid
Ritu Mane
No ratings yet
Emax Volume 4
Document184 pages
Emax Volume 4
madhubisani2005
100% (3)
Helllo
Document3 pages
Helllo
Ritu Mane
No ratings yet
Abap Code Book
Document66 pages
Abap Code Book
Dineshkumar Akula
No ratings yet
Apti Tiute Answer 19august
Document7 pages
Apti Tiute Answer 19august
Ritu Mane
No ratings yet
Helllo
Document3 pages
Helllo
Ritu Mane
No ratings yet
EDMI User Manual
Document11 pages
EDMI User Manual
Dai Haizhong
No ratings yet
Ampeg SVT Classic Owner's Guide
Document8 pages
Ampeg SVT Classic Owner's Guide
Alexandre S. Corrêa
No ratings yet
Sample - China Digital Freight Forwarding Maeket (2020 - 2025) - Mordor Intelligence
Document47 pages
Sample - China Digital Freight Forwarding Maeket (2020 - 2025) - Mordor Intelligence
redejavoe
No ratings yet
Product Datasheet
Document1 page
Product Datasheet
Cătălin Nicoară
No ratings yet
Materi Welding Defect II
Document64 pages
Materi Welding Defect II
smartz inspection
No ratings yet
Electric Vehicle Powertrain Simulation To Optimize Battery and Vehicle Performances
Document5 pages
Electric Vehicle Powertrain Simulation To Optimize Battery and Vehicle Performances
Narendra Yadav
No ratings yet
DO LE#8 Rice Reapers and Combines PDF
Document37 pages
DO LE#8 Rice Reapers and Combines PDF
Larry
No ratings yet
Jones 1984 Review
Document3 pages
Jones 1984 Review
Lucas Martinez
No ratings yet
Condition Based Monitoring For HT Motor (Inhouse) S.No Name of Test Description
Document11 pages
Condition Based Monitoring For HT Motor (Inhouse) S.No Name of Test Description
Yadav Akhilesh
No ratings yet
All India Company Email PDF Free
Document1,581 pages
All India Company Email PDF Free
vikas.srivastava
No ratings yet
Ciclo Di Verniciatura: Technical Properties
Document1 page
Ciclo Di Verniciatura: Technical Properties
Maffone Numerouno
No ratings yet
Kyplot Research PDF
Document10 pages
Kyplot Research PDF
Takkas Fernando
No ratings yet
Workforce Ds 1630 Brochure
Document2 pages
Workforce Ds 1630 Brochure
Jose
No ratings yet
DB100 Manual (KIMO)
Document2 pages
DB100 Manual (KIMO)
Hamza Widadi
No ratings yet
Ops MGT Saumu
Document8 pages
Ops MGT Saumu
Saumu Suleiman
No ratings yet
Secure Coding - PHP v.1.1
Document137 pages
Secure Coding - PHP v.1.1
Bond James
No ratings yet
Digital SLR Photography Solutions, From PC Magazine - 89
Document419 pages
Digital SLR Photography Solutions, From PC Magazine - 89
adi22-22
No ratings yet
Global Data Center Newsletter - 2023.06.15
Document22 pages
Global Data Center Newsletter - 2023.06.15
indr4m4 7u5uf
No ratings yet
Assignment#3 Atif Ali
Document8 pages
Assignment#3 Atif Ali
Atif Ali
No ratings yet
Paper-Jam Error (GXXX Errors) : Chapter 17. Panel Messages
Document2 pages
Paper-Jam Error (GXXX Errors) : Chapter 17. Panel Messages
Karamfil 'Trun' Hristov
No ratings yet
Elegant Plants Research Poster by Slidesgo
Document26 pages
Elegant Plants Research Poster by Slidesgo
Afifah Nisa Rahmadani
No ratings yet
CASE STUDY - Collapsed Wind Tower - A Root Cause Investigation (Element Materials Technology)
Document3 pages
CASE STUDY - Collapsed Wind Tower - A Root Cause Investigation (Element Materials Technology)
engrrahman3135
No ratings yet
Power System Protection 2
Document56 pages
Power System Protection 2
Ahmed Ibrahim
No ratings yet
Lec 1 - 2 Introduction
Document40 pages
Lec 1 - 2 Introduction
nadia.imran
No ratings yet
Microcontroller Based Smart Crop Protection
Document3 pages
Microcontroller Based Smart Crop Protection
International Journal of Innovative Science and Research Technology
No ratings yet
A Study On Consumer Buying Behavior Towards Online and Offline Shopping
Document94 pages
A Study On Consumer Buying Behavior Towards Online and Offline Shopping
ARAVIND
No ratings yet
Borland - Working Drawings
Document1 page
Borland - Working Drawings
leona lopez
No ratings yet
Scraper Output
Document2 pages
Scraper Output
Elvis Dzebo
No ratings yet
IP Project Class 12th Anupriya
Document22 pages
IP Project Class 12th Anupriya
anu870906
No ratings yet