CORS in few wors

2025-12-19
:: tags:  #CORS  #pentest  #security

Cross-origin resource sharing (CORS) allows scripts in third-party web applications to access resources in a domain.

Why is it needed?

Due to the same-origin policy (SOP) it isn't possible for a web application to request resources hosted in another web application using a script (SOP doesn't apply to CSS or images). CORS allows to soften this restriction.

What's an origin?

An origin is protocol+domain+port: https://example.tredecimal.com:443 if any of the three isn't exactly the same it isn't considered the same origin, subdomains are also considered a different origin (due to the domain changing). The origin is sent as a header on requests.

How does it work?

The client browser sends a GET request with the extra Origin header, if the server allows CORS, it returns an Access-Control-Allow-Origin header containing either the URL of the origin or a wildcard (if all origins are allowed). It can also return a Access-Control-Allow-Credentials if access to private parts is needed, this header will allow cookies, TLS user certs or authorization headers to be used.

What problems does it have

  • It is not possible to define more than one origin per CORS endpoint.
  • You can use different domains/origins for different endpoints of your application but not multiple domains for the same endpoint.
  • You cannot use the Allow-Credentials header when the wildcard is used in the Allow-Origin header. Due to the above restrictions, programmers and frameworks have found ways to allow multiple origins/domains to access the same endpoint while being able to use the Allow-Credentials header.

How can CORS be used while allowing multiple origins?

There are two ways, an insecure one, using the null Origin and an error-prone one using "dynamic origin validation".

Null is a special case of the "one domain" case. All origins can simulate being null (using a sandboxed iframe or a data-URL among other ways) and due to it falling into the "one domain" case it allows using the Allow-Credentials header. That has security implications. If anyone can fake a null origin, that means an attacker can too. In a way, it's like a more insecure wildcard.

Dynamic origin validation when correctly implemented can be both useful and secure. It's recommended to have a whitelist of fully qualified origins and compare the incoming Origin to them byte-for-byte . Using regex or matching only the beginning or end of the origin is very error-prone, can cause a security risk and should be avoided.

Of course it would be better if the specification simply allowed multiple domains in a secure way so each framework wouldn't need to write their own dynamic origin validation.

Misc

  • Using the vary: Origin header is a good idea when the response depends on the requester. When you use a CDN or something that can cache the response it avoids caching that.
  • Requests apart from GET and POST will get pre-flight.

Aftermarket Head Units: A primer

2025-05-16
:: tags:  #android  #headunit  #linux

⚠️ Warning: Aftermarket car head units may void your vehicle's warranty, cause compatibility issues, or lead to a GPS telling you to "turn left into the ocean." I take no responsibility for melted plastics, voided warranties, or GPS-induced existential crises. You install this stuff at your own risk.

Lately I have been interested in aftermarket head units as my car came without Carplay/Android Auto (but with OEM reverse camera) and I got tired of hooking my phone to the A/C vent when using navigation and wanted something better. There are a lot of things to take into account specially if you want to do it yourself and on the cheap. Below I'll list the parts and what you need to look out for.

Parts

  • A head unit (Hizpo S8 or similar)
  • A car (whatever you have, mine is a Hyundai from 2017)
  • A bezel or fascia or frame (if your car doesn't have a standard double din hole and you need the plastic piece to fit it into your car, like this one)
  • Aftermarket wire harness (probably mandatory)
  • A reversing camera (optional)

In my case I wanted to do it cheaply and bought everything from Aliexpress. If you live in the USA you can buy nearly everything on Crutchfield and it will require less guesswork.

For those anywhere else in the world, you will need to choose a head unit, there are Android and Linux ones, they come in all flavors and sizes, with all kind of functions like:

  • Wired/Wireless Carplay/Android Auto
  • AV Out (useful if you plan to add screens for rear passengers)
  • Rear view camera input (to install an aftermarket camera)
  • LTE
  • USB ports
  • DAB radio
  • TPMS (for tire pressure)
  • Canbus (for more advanced things)

All of them have common DSPs and amplifiers that will do the job and are indistinguishable from the OEM ones.

I would recommend buying one that has a QLED screen as they have the best price/quality ratio. Double check that the resolution and size of the screen make sense, 1024x600 is okayish for 7 inches but would look bad in 10". It also depends if you only care about navigation/music or plan to use it to watch shows or movies while you are in a traffic jam.

I have tested some Android ones, those from Aliexpress lie about their Android version and are outdated, however, you can install applications using the Play Store and they will work without the need of an external smartphone.

I haven't tested a Linux one yet but they are normally cheaper, screens are not bigger than 7" and you can't install applications. However, it seems that they work well, boot up fast and normally support Carplay/Android Auto (your phone will do the processing).

Will be continued in a later post.