Explain Vary Header and CORS exploitation.
I saw PortSwigger's blog post discussing the security risks associated with CORS mis-configurations.
The blog talks about insecure ways of enabling CORS which can allow malicious web sites to read data from a target site. Towards the end, the blog talks about a prevention mechanism involving the Vary: Origin header:
If you take a look at the 'Implementation Considerations' section in the CORS specification, you'll notice that it instructs developers to specify the 'Vary: Origin' HTTP header whenever Access-Control-Allow-Origin headers are dynamically generated.
I am having a hard time understanding how exactly the Vary header helps prevent CORS exploitation in a scenario where the Access-Control-Allow-Origin header is dynamically generated.
It's important to include the Vary header to prevent caching. The header indicates that the response is in some way dependent on the origin and should therefore not be served from cache for any other origin. If the header is missing, cache poisoning attacks might be possible as explained in the article by the example of XSS via a reflected custom header. A missing Vary header doesn't create a vulnerability on its own.