Skip to content

Exploiting lax CORS in combination with bad cache control to read login-protected data #66

Description

@tuyenee

A response with

Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET
Access-Control-Allow-Headers: Content-Type, Authorization, Content-Length, X-Requested-With
Access-Control-Allow-Credentials: false

... but with no Cache-Control can be read from a cross-origin request:

fetch(vulnerableUrl, {
method: 'GET',
cache: 'force-cache'
});

We want to verify on which browser does this attack work.

Inspired by: this report.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions