Fixed up test and made it entirely HTML+JS instead of PHP.
authorbhill@L-SJN-00530327.corp.ebay.com
Thu, 02 Feb 2012 16:31:22 -0800
changeset 21 bace715cb5a3
parent 20 e11a5fd84f2b
child 22 1e1ca166961c
Fixed up test and made it entirely HTML+JS instead of PHP.
tests/cors/submitted/bhill2/redir-test.html
tests/cors/submitted/bhill2/redir-test.php
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/submitted/bhill2/redir-test.html	Thu Feb 02 16:31:22 2012 -0800
@@ -0,0 +1,61 @@
+<!DOCTYPE html>
+<html>
+       <head>
+                <title>CORS Test: Origin Header reflection vulnerability test</title>
+                <meta http-equiv="content-type" content="text/html; charset=UTF-8" />
+                <meta descriptionn="Cross Origin Resource Sharing Test: Origin Header reflection" />
+                <link rel="author" title="bhill@paypal-inc.com" />
+                <script src="/resources/testharness.js"></script>
+                <script src="/resources/testharnessreport.js"></script>
+
+		<script>
+			function dirname(path) { return path.replace(/\/[^\/]*$/,'/') }
+
+			var crossdomain = dirname(location.href).replace('://www.','://www3.');
+
+			var t = async_test("Test async CORS request modifies Origin on cross-domain redirection to prevent reflection/redirection attacks.");
+		</script>
+
+        </head>
+<body>
+	<div id="log"></div>
+
+
+	<script>
+		// Get what the reported Origin is with a synchronous request and no redirects.
+                var req = new XMLHttpRequest();
+                req.open("GET", crossdomain + 'support/get-origin.php', false);
+	 	req.send();
+
+		// If a CORS request recieves a redirect across FQDNs, the origin should either be set to 
+		// null, the entire header set to null or the redirecting origin appended to the origin list.
+		// If this is not done, an attack could be mounted by the remote server, e.g. redirecting the
+		// request back to the originating origin and, e.g. bypass CSRF defenses that rely exclusively
+		// on the value of Origin.  (not a good idea, but certainly possible)
+		//
+		// the "support/redir-to-get-origin.php" script performs such a reflection, so this test needs
+		// to verify that the reported origin is *not* the same as this script's origin 
+		//
+		// This test verifies changes requested as part of ACTION-46:
+		// http://www.w3.org/2011/webappsec/track/actions/46
+
+                var req2 = new XMLHttpRequest();
+		req2.onreadystatechange = function() {
+		  if(this.readyState = this.DONE) {
+			t.step(function() {assert_not_equals(req.responseText, 
+					   		     req2.responseText,
+					   		     "Verify that Origin header is modified by redirect.");});
+			t.done();
+		  }
+		};
+
+		// bugs in webkit require async CORS request when following redirects
+                req2.open("GET", crossdomain + 
+				 'support/redir-to-get-origin.php?url=' + 
+				 encodeURIComponent(dirname(location.href) + 'support/get-origin.php'), true);
+
+		t.step_func(function() {req2.send()} );
+
+	</script>
+</body>
+</html>
--- a/tests/cors/submitted/bhill2/redir-test.php	Wed Feb 01 16:40:44 2012 -0800
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,66 +0,0 @@
-<?php
-
-//TODO: make CORS request to redir-to-get-origin.php
-//read returned value for origin after following redirect
-//compare to "www.w3c-test.org" and fail if true
-//should be: "null" or "www.w3c-test.org www2.w3c-test.org"
-
-$this_script_path = $_SERVER[SCRIPT_NAME];
-
-$next_script_path = ereg_replace('redir-test','support/redir-to-get-origin', $this_script_path);
-$get_origin_path = ereg_replace('redir-test', 'support/get-origin', $this_script_path); 
-
-$get_origin = "http://www2.w3c-test.org$get_origin_path"; 
-$next_script = "http://www.w3c-test.org$next_script_path"."?url=". urlencode($get_origin);
-
-?>
-<!DOCTYPE html>
-<html>
-       <head>
-                <title>CORS Test: Origin Header reflection vulnerability test</title>
-                <meta http-equiv="content-type" content="text/html; charset=UTF-8" />
-                <meta descriptionn="Cross Origin Resource Sharing Test: Origin Header reflection" />
-                <link rel="author" title="bhill@paypal-inc.com" />
-                <script src="/resources/testharness.js"></script>
-                <script src="/resources/testharnessreport.js"></script>
-        </head>
-<body>
-	<div id="log"></div>
-
-
-	<script>
-		// first test that we are sending origin headers!
-                var req = new XMLHttpRequest();
-                req.open("GET", "<?php echo "$get_origin"; ?>", false);
-		try {
-			req.send();
-                	test(function() {assert_equals(req.responseText, "http://www.w3c-test.org")}, "Verify that Origin header is being set.");
-			//alert(req.responseText);
-		} catch(ex) {
-			test(function() {assert_true(false)}, "Exception testing Origin header is set.");
-		}
-
-
-		// second text exercises a cross-origin redirect
-                var req2 = new XMLHttpRequest();
-		req2.onreadystatechange = function() {
-		  if(this.readyState = this.DONE) {
-			test(function() {assert_not_equals("http://www.w3c-test.org", req2.responseText)}, "Verify that Origin header is modified by redirect.");
-		  }
-		};
-
-		// bugs in webkit require async when following redirects
-                req2.open("GET", "<?php echo "$next_script"; ?>", true);
-
-                try {
-                        req2.send();
-                } catch(ex) {
-			alert(ex);
-                        test(function() {assert_true(false)}, "Exception testing Origin header modification on redirect.");
-                }
-
-	</script>
-
-
-</body>
-</html>