描述
WebInspect has detected the target application supports “Origin: null” for CORS requests, making it vulnerable to CORS attacks.
Cross-Origin Resource Sharing, commonly referred to as CORS, is a technology that allows a domain to define a policy for its resources to be accessed by a web page hosted on a different domain using cross domain XML HTTP Requests (XHR). Historically, the browser restricts cross domain XHR requests to abide by the same origin policy. At its basic form, the same origin policy sets the script execution scope to the resources available on the current domain and prohibits any communication to domains outside this scope. Therefore, execution and incorporation of remote methods and functions hosted on domains outside of the current domain are effectively prohibited. While CORS is supported on all major browsers, it also requires that the domain correctly defines the CORS policy in order to have its resources shared with another domain. These restrictions are managed by access policies typically included in specialized response headers, such as:
Access-Control-Allow-Origin
Access-Control-Allow-Headers
Access-Control-Allow-Methods
In this instance, the Access-Control-Allow-Origin header is set to "null" as seen in the pre-flight response. This makes the target application vulnerable to CORS attacks. Sandboxed documents and various URI scheme such as data: or file: have their 'Origin' defined as ‘null’. Thus, any malicious user can easily obtain "Origin: null" can be easily obtained by any malicious user by simply enclosing the malicious CORS request from within an iframeand using the sandboxattribute.
解决方案
在server中添加
add_header Access-Control-Allow-Origin 允许访问的ip或者域名,允许访问的ip或者域名;
例如:
server{
add_header Access-Control-Allow-Origin 192.168.11.62;
}
或者
server{
add_header 'Access-Control-Allow-Origin' $http_origin;
}
实际情况中,还是扫到了
另一个解决方案
判断$http_origin
如果不在白名单,直接403
if ( $http_origin !~* '192.168.1.1|172.1.1.1') {
return 403 ;
}
参考
https://vulncat.fortify.com/en/detail?id=desc.dynamic.html.html5_cors_functionality_abuse
https://blog.csdn.net/enthan809882/article/details/107941696
https://blog.csdn.net/u014163312/article/details/120007012