Cross origin resource sharing (CORS)

Cross-origin resource sharing is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served. A web page may freely embed cross-origin images, stylesheets, scripts, iframes, and videos.

-- Wikipedia

• PortSwigger - Web Security Academy - Cross-origin resource sharing (CORS)

Same-origin policy (SOP)

• SOP is a web browser security mechanism

• Restricts scripts to access data from other origins

• Some objects are only write- or readable

See also PortSwigger - Web Security Academy - Same-origin policy (SOP).

Access-Control-Allow-Origin header (ACAO)

Provides controlled relexation of SOP.

See also PortSwigger - Web Security Academy - CORS and the Access-Control-Allow-Origin response header.

Exploit

1. Check for responses containing the Access-Control-Allow-Credentials header and the value being set to true

2. Resubmit the request using a random or Origin header

3. Check that that origin is reflected in the Access-Control-Allow-Origin repsonse header

4. Craft malicious code that requests that data and sends the response to a server you control. Then deliver the code to the victim.

Null origin

Try the same using null as value in the request Origin header.