I'm testing that the production web app has only allowed CORS HTTP headers. In my tests, the sent illegal CORS headers bypass the browser validations since the request goes and comes from a proxy URL located on the same origin. for example:
Request URL: http://192.168.0.139:43561/T87i44N5N*DrJe7nq7U/https://example.com/cart
My HTTP request contains the following custom HTTP header:
evil-header: break-it
In the response, this header is not allowed in the access-control-allow-headers value and supposed to cause a CORS error.
access-control-allow-headers: authorization, accept-currency, accept-language, cookie, content-type, context-campaign, context-container-name, csrf-token, customer-id, experiments, geo-ip-country, origin, referer, session-id, visitor-id
Despite this, the request returns with status code 200 and the test does not fail.
Aucun commentaire:
Enregistrer un commentaire