Tests verifying the soundness of the Access-Control-Allow-Origin header
*) to allow multiple origins while at the
same time allowing authenticated requests. This is why many implementations create dynamic
responses based on the Origin header. If an endpoint blindly allows all origins
while at the same time allowing authenticated requests, either the resource should not require
authentication or it is too sensible to be shared across origin boundaries. This test case
blindly replays the Origin header in the Access-Control-Allow-Origin
header.
Origin header is validated by eg.
origin.startsWith("google.com"), this might be bypassed by appending an
attacker conrolled hostname (https://google.com.foo.com). This test case
replays the Origin header in the Access-Control-Allow-Origin
header when the Origin starts with a given value.
Origin header is validated by eg.
origin.endsWith("google.com"), this might be bypassed by prepending to parts
to the hostname (https://foogoogle.com). This test case replays the
Origin header in the Access-Control-Allow-Origin header when
the Origin ends with a given value.
Origin header is validated by eg.
origin.match("www.google.com"), this might be bypassed by replacing the dots (https://wwwXgoogle.com). This test case
replays the Origin header in the Access-Control-Allow-Origin
header when the Origin matches a given value.
Origin header is validated by eg.
origin.endsWith("www.google.com"), this might be bypassed by downgrading to http (http://www.google.com). This test case
replays the Origin header in the Access-Control-Allow-Origin
header when the Origin matches only the hostname and port.
null origin in an Access-Control-Allow-Origin header is
equivalent to allowing every origin. Combined with allowing authenticated requests, the same
concerns as with insecure dynamic header generation apply.