A U.S. Military Website That Trusted Every Domain on Earth

The U.S. Department of Defense runs a Vulnerability Disclosure Program that invites researchers to test public-facing military websites. We took them up on that invitation and started looking at their web properties. One of the sites we tested belonged to the Joint Non-Lethal Weapons Program, which is a publicly known DoD initiative.

The site had a CORS misconfiguration that accepted cross-origin requests from any domain. When we sent a request with an arbitrary Origin header, the server reflected it back in the Access-Control-Allow-Origin response header and included Access-Control-Allow-Credentials set to true. That combination is the worst possible CORS configuration.

What this means in practice is straightforward. If a logged-in user visited any malicious webpage, that page could silently make authenticated requests to the military website and read the responses. The browser's same-origin policy is supposed to prevent this. CORS is the mechanism that relaxes that policy. When you configure CORS to trust every origin with credentials, you effectively disable the same-origin policy entirely.

The attack scenario is simple. An attacker sets up a webpage with JavaScript that makes fetch requests to the military site. A logged-in user visits the attacker's page. The browser sends the requests with the user's cookies. The server accepts the cross-origin request and returns data. The attacker's JavaScript reads the response. Everything the user can see, the attacker can now steal.

We submitted this through the DoD VDP on HackerOne. CORS misconfigurations are common across the internet, but finding one on a military website adds a different dimension to the impact assessment.

The fix is trivial. Do not reflect arbitrary origins. Maintain an allowlist of trusted domains and only return those in the CORS headers. Better yet, if the site does not need to serve cross-origin requests at all, remove the CORS headers entirely.