Professional Documents
Culture Documents
validation failure
URL:
https://dashboard.projectbaseline.com/
Attack Details
Access-Control-Allow-Origin: https://www.example.com
Access-Control-Allow-Credentials: true
Any origin is accepted (arbitrary Origin header values are reflected in
Access-Control-Allow-Origin response headers).
Vulnerability Description
The web application fails to properly validate the Origin header (check Details
section for more information) and returns the header Access-Control-Allow-
Credentials: true.
HTTP Request
GET / HTTP/1.1
Origin: https://www.example.com
Cookie: GCP_IAP_XSRF_NONCE_FeTJWj9XyNnzeTgLi3VmKQ=1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Host: dashboard.projectbaseline.com
Connection: Keep-alive
HTTP Response
HTTP/1.1 302 Found
Set-Cookie: GCP_IAP_XSRF_NONCE_TvnSz9-j4uCCgRKqnt2wQQ=1; expires=Tue, 29-Nov-
2022 07:14:16 GMT; path=/; Secure; HttpOnly; SameSite=none
Location: https://accounts.google.com/o/oauth2/v2/auth?client_id=747710734643-
41v241mk67vn9ttauqefa5i5ms5b6fvt.apps.googleusercontent.com&response_type=code
&scope=openid+email&redirect_uri=https://iap.googleapis.com/v1/oauth/
clientIds/747710734643-
41v241mk67vn9ttauqefa5i5ms5b6fvt.apps.googleusercontent.com:handleRedirect&cod
e_challenge=jZmFdAqVkaPBn_g3RsaVLOkWNz5bunpFEbOzzQmVxMg&code_challenge_method=
S256&cred_ref=true&state=eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InVYOGFfU
SJ9.eyJyZnAiOiJXcVp5YmRtZVRCbTJkQnM5SU03YkF0UTZmeXFlR080SnhLbk1LWTA3UVFrIiwiaX
NzIjoiaHR0cHM6Ly9jbG91ZC5nb29nbGUuY29tL2lhcCIsImF1ZCI6Ijc0NzcxMDczNDY0My00MXYy
NDFtazY3dm45dHRhdXFlZmE1aTVtczViNmZ2dC5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSIsIn
RhcmdldF91cmkiOiJodHRwczovL2Rhc2hib2FyZC5wcm9qZWN0YmFzZWxpbmUuY29tLz9nY3AtaWFw
LW1vZGU9QVVUSEVOVElDQVRJTkciLCJvcmlnaW5fdXJpIjoiaHR0cHM6Ly9kYXNoYm9hcmQucHJvam
VjdGJhc2VsaW5lLmNvbS8iLCJpYXQiOjE2Njk3MDU0NTYsImV4cCI6MTY2OTcwNjA1NiwiZW5jcnlw
dGVkX2NvZGVfdmVyaWZpZXIiOiJcdTAwMDDNIFx1MDAxZFx1MDAwN_p89F6-
mPyEaMZpxYJRV3NcdTAwMTglWymRMJ6RjFx1MDAxY1xu_Hi66Fx1MDAwMbnmkdH7_yyfupZAdqfyOV
x1MDAyNjbNXHUwMDFjSVx1MDAxZuBcdTAwM2NNPeNpN0RcdTAwMTWeaUWjNfGHgPpNYVx1MDAxNlx1
MDAxZSJ9.M01FQCCPBjmvHeqNlkrt3vDCIK7Y7eV1_h33glvZmCtArkApZBV0IOz3BZgv00dE-
7OlhKcUPL7ykT4hIgDgcQ
X-Goog-IAP-Generated-Response: true
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://www.example.com
Access-Control-Allow-Headers: X-Requested-With
Date: Tue, 29 Nov 2022 07:04:17 GMT
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Any website can issue requests made with user credentials and read the
responses to these requests.
Classification
CWE
CWE-942
CVSS
Base Score: 5.4 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Unchanged
Confidentiality: Low
Integrity: Low
Availability: None
Web References