search

CORS Attack

ow HTTP Headers

Access-Control-Allow: * or <origin> or null

Access-Control-Credentials:

if Access Access-Control-Credentials: true

is Vulnerable CORS

<?php
session_start();

if($_SESSION['islogin'] != 1){
	header("Location: login.php");
	die();
}
#vulnerablity here
$origin = "mydomain.com";
if ( strpos(@$_SERVER['HTTP_ORIGIN'], "mydomain.com") ){
	$origin = @$_SERVER['HTTP_ORIGIN'];
}

header("Content-Type: application/json");
header("Access-Control-Allow-Origin: *");
header("Access-Control-Allow-Credentials: true");

echo '{"name":"Guest user", "phone number":"0234235","email":"email@gmail.com","adddress":"street 3","own books":["Book one","Book two","Book three"],"private books":["book 4","book 5"]}';

POS (if data json use Content-Type = application/json)

I will try to find this vuln Uing Burpsuit Come with me!

in this request allow credentials if

hashtag
Testing For CORS Vulnerabilities

  1. remove/add a domain or like attckerlocalhost

  • Map the application • Test the application for dynamic generation • Does it reflect the user-supplied ACAO header? • Does it only validate on the start/end of a specific string? • Does it allow the null origin? * or yourdoamin,com • Does it restrict the protocol? HTTP or https | 80,8080 or any think • Does it allow credentials?

Click exploit B000000000M!

Mitigation

1. restrict Allowed Origins

Access-control-Allow-Origin: https://example.comarrow-up-right

2. Limit HTTP Methods

Access-control-Allow-Methods: GET, POST

3. Control Allowed Header

Access-Control-Allow-Headers: Content-Type, Authorization

  1. Access-Control-Allow-Credentials: true

  2. Validate Input and Origin

  3. Content security Policy (CSP)

Content-Security-Policy: default-src 'self'; script-src 'self' https://example.comarrow-up-right

http://localhost/labs/cors/info.phparrow-up-right

PreviousXSS_HTML InjectionNextClickjacking

Last updated