[OWASP-Bangalore] [null] XMLHttpRequest - Browser vulnerability how can it

cyber research 001.appsec.007 at gmail.com
Thu Aug 9 09:15:56 UTC 2018


Thanks Mahesh & Govind for your response

On Thu, Aug 9, 2018 at 11:55 AM, Govind Kumar <govindkumar.2349 at gmail.com>
wrote:

>
> *Browsers don't validate header values, they simply disallow setting
> headers that you shouldn't mess with*
>
> Please refer the below post.
> https://stackoverflow.com/questions/7210507/ajax-post-
> error-refused-to-set-unsafe-header-connection
>
>
> On Tue, Aug 7, 2018 at 6:32 PM, cyber research <001.appsec.007 at gmail.com>
> wrote:
>
>> Hello Guys,
>>
>> I have following code which i'm testing gives me following error in
>> browser console "Refused to set unsafe header "connection" & in most of
>> online references it says "Not to use this headers" simply to remove this.
>>
>> *Online Reference :*
>>
>> XMLHttpRequest isn't allowed to set these headers, they are being set
>> automatically by the browser. The reason is that by manipulating these
>> headers you might be able to trick the server into accepting a second
>> request through the same connection, one that wouldn't go through the usual
>> security checks - that would be a security vulnerability in the browser.
>>
>> *Query : *is this not advised or do you forsee any security issues in
>> doing the same
>>
>> <html>
>> <body>
>> <script type="text/javascript">
>> function testXMLHttpReq() {
>>     var method = "GET";
>>     var url = "http://example.com/example ";
>>     var xhr = new XMLHttpRequest();
>>     xhr.open(method, url);
>>     xhr.setRequestHeader("connection", "close");
>>     var text = {"command":"PUSH"};
>>     xhr.send(text);
>> }
>> testXMLHttpReq();
>> </script>
>> </body>
>> </html>
>>
>> --
>> ____________________________________________________________
>> __________________
>> null - Spreading the right Information
>> null Mailing list charter: http://null.co.in/section/abou
>> t/null_list_charter/
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "null" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to null-co-in+unsubscribe at googlegroups.com.
>> Visit this group at https://groups.google.com/group/null-co-in.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
> --
> ____________________________________________________________
> __________________
> null - Spreading the right Information
> null Mailing list charter: http://null.co.in/section/
> about/null_list_charter/
> ---
> You received this message because you are subscribed to the Google Groups
> "null" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to null-co-in+unsubscribe at googlegroups.com.
> Visit this group at https://groups.google.com/group/null-co-in.
> For more options, visit https://groups.google.com/d/optout.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-bangalore/attachments/20180809/7d383266/attachment.html>


More information about the OWASP-Bangalore mailing list