Object Moved

This document may be found here Access Control based on Origin Header - Insecure Demo
More Demos

Access Control based on Origin Header - Insecure Demo

acCOR.php located at www.andlabs.net reveals sensitive information to COR from www.andlabs.org.
CORs from other websites are not permitted and even accessing the page directly only reveals a normal page with no sensitive information.

This page uses only the Origin header as an Access Control parameter.
This can be easily compromised by spoofing the Origin header with a client-side program like wget.

Eg: wget --header="Origin: http://www.andlabs.org" www.andlabs.net/html5/acCOR.php

PHP Source of http://www.andlabs.net/html5/acCOR.php:

            
<?php
    if($_SERVER['HTTP_ORIGIN'] == "http://www.andlabs.org")
    {
        header('Access-Control-Allow-Origin: http://www.andlabs.org');
        echo "This is sensitive information only available to requests from www.andlabs.org";
    }
    else
    {
        echo "This is just a normal page with no sensitive information";
    }
?>
        

Demo

To make a request to this page from www.andlabs.org and view the response click here.

Based on the COR examples from Mozilla and Arun Ranga