test to prevent origin reflection attacks when following redirects in CORS
authorbhill@L-SJN-00530327.corp.ebay.com
Wed, 01 Feb 2012 16:40:44 -0800
changeset 20 e11a5fd84f2b
parent 19 98421000f64c
child 21 bace715cb5a3
test to prevent origin reflection attacks when following redirects in CORS
tests/cors/submitted/bhill2/redir-test.php
tests/cors/submitted/bhill2/support/get-origin.php
tests/cors/submitted/bhill2/support/redir-to-get-origin.php
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/submitted/bhill2/redir-test.php	Wed Feb 01 16:40:44 2012 -0800
@@ -0,0 +1,66 @@
+<?php
+
+//TODO: make CORS request to redir-to-get-origin.php
+//read returned value for origin after following redirect
+//compare to "www.w3c-test.org" and fail if true
+//should be: "null" or "www.w3c-test.org www2.w3c-test.org"
+
+$this_script_path = $_SERVER[SCRIPT_NAME];
+
+$next_script_path = ereg_replace('redir-test','support/redir-to-get-origin', $this_script_path);
+$get_origin_path = ereg_replace('redir-test', 'support/get-origin', $this_script_path); 
+
+$get_origin = "http://www2.w3c-test.org$get_origin_path"; 
+$next_script = "http://www.w3c-test.org$next_script_path"."?url=". urlencode($get_origin);
+
+?>
+<!DOCTYPE html>
+<html>
+       <head>
+                <title>CORS Test: Origin Header reflection vulnerability test</title>
+                <meta http-equiv="content-type" content="text/html; charset=UTF-8" />
+                <meta descriptionn="Cross Origin Resource Sharing Test: Origin Header reflection" />
+                <link rel="author" title="bhill@paypal-inc.com" />
+                <script src="/resources/testharness.js"></script>
+                <script src="/resources/testharnessreport.js"></script>
+        </head>
+<body>
+	<div id="log"></div>
+
+
+	<script>
+		// first test that we are sending origin headers!
+                var req = new XMLHttpRequest();
+                req.open("GET", "<?php echo "$get_origin"; ?>", false);
+		try {
+			req.send();
+                	test(function() {assert_equals(req.responseText, "http://www.w3c-test.org")}, "Verify that Origin header is being set.");
+			//alert(req.responseText);
+		} catch(ex) {
+			test(function() {assert_true(false)}, "Exception testing Origin header is set.");
+		}
+
+
+		// second text exercises a cross-origin redirect
+                var req2 = new XMLHttpRequest();
+		req2.onreadystatechange = function() {
+		  if(this.readyState = this.DONE) {
+			test(function() {assert_not_equals("http://www.w3c-test.org", req2.responseText)}, "Verify that Origin header is modified by redirect.");
+		  }
+		};
+
+		// bugs in webkit require async when following redirects
+                req2.open("GET", "<?php echo "$next_script"; ?>", true);
+
+                try {
+                        req2.send();
+                } catch(ex) {
+			alert(ex);
+                        test(function() {assert_true(false)}, "Exception testing Origin header modification on redirect.");
+                }
+
+	</script>
+
+
+</body>
+</html>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/submitted/bhill2/support/get-origin.php	Wed Feb 01 16:40:44 2012 -0800
@@ -0,0 +1,10 @@
+<?php
+    header("Access-control-allow-headers: X-Requested-With");
+    header("Access-control-max-age: 0");
+    header("Access-control-allow-origin: *");
+    header("Access-control-allow-methods: *");
+    header("Vary: Accept-Encoding");
+    header("Content-Type: text/plain");
+
+    print $_SERVER['HTTP_ORIGIN'];
+?>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/cors/submitted/bhill2/support/redir-to-get-origin.php	Wed Feb 01 16:40:44 2012 -0800
@@ -0,0 +1,9 @@
+<?php
+$url = $_GET['url'];
+header("Access-control-max-age: 0");
+header("Access-control-allow-origin: http://www.w3c-test.org");
+header("Access-control-allow-credentials: true");
+header("Access-control-allow-methods: *");
+header("Access-control-expose-headers: Location");
+header("Location: $url");
+?>