Flo Aberger | Cyber Notes Structured writeups for labs, CTFs, and security projects.

Cors

CORS: NULL

Notes and commands for CORS: NULL.

2025-05-17
Tags webcorscors-null
Back to Pentest Notes Search Notes

Whitelisted null origin value

The Origin header supports the value null. Browsers might send null in the Origin header in unusual situations:

  • Cross-origin redirects
  • Requests from serialized data
  • Requests using the file: protocol
  • Sandboxed cross-origin requests

Pack it in an iframe

1
2
3
4
5

sandbox = permissions
allow-forms: code is inside a form inside a script inside a webpage
allow-scripts: because it is a script
allow-top-navigation: change direction when the page loads
srcdoc: send code inside a document as malicious code (HTML-encoded)

Screenshot