Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Many times, websites have subdomains that need to communicate with each other. Because of the Same Origin Policy (SOP), this isn't usually possible. Some technologies allow for this, a formerly popular one being JSON with Padding (JSONP).

How does this work? If you have blog.example.com and account.example.com, then the account page would have a JSONP endpoint. This works because of the cookies on the current page that get used. To prevent cross-data leakage, the endpoint verifies that the Referer header is whitelisted.

The browser cache works similarly to most things. When a browser gets a GET request response, it checks for caching information in the headers. Notably, Cache-Control, Expires and Last-Modified.

Now, put these things together: JSONP endpoint with browser caching. Because the browser caching doesn't consider the Referer header, it will return the response to this request without doing the check! This becomes an authentication issue as a result.

The author claims that this issue also happens with Cross-Site-Script-Inclusion. To fix this, just be careful with your Cache-Control headers. I personally hadn't considered browsing caching as a security issue but it is in this case!