Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-15 09:27:32 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #250 from homedirectory/patch-5

Browse source 
Update cors-bypass.md
This commit is contained in:
Carlos Polop 2021-10-07 13:27:39 +01:00 committed by GitHub
commit d9ca1a6f0e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
pentesting-web/cors-bypass.md
View file

@ -174,7 +174,9 @@ This isn't directly exploitable because there's no way for an attacker to make s
### **Client-Side cache poisoning**
You may have occasionally encountered a page with [reflected XSS](https://portswigger.net/web-security/cross-site-scripting/reflected) in a custom HTTP header. Say a web page reflects the contents of a custom header without encoding:\`GET / HTTP/1.1
You may have occasionally encountered a page with [reflected XSS](https://portswigger.net/web-security/cross-site-scripting/reflected) in a custom HTTP header. Say a web page reflects the contents of a custom header without encoding:
```http
GET / HTTP/1.1
Host: example.com
X-User-id: <svg/onload=alert\(1\)>
@ -183,7 +185,8 @@ Access-Control-Allow-Origin: \*
Access-Control-Allow-Headers: X-User-id
Content-Type: text/html
...
Invalid user: <svg/onload=alert\(1\)>\`
Invalid user: <svg/onload=alert\(1\)>\
```
With CORS, we can send any value in the Header. By itself, **that's useless** since the response containing our **injected JavaScript won't be rendered**. However, **if Vary: Origin hasn't been specified** the response **may be stored in the browser's cache and displayed directly when the browser navigates to the associated URL**. I've made a fiddle to [attempt this attack on a URL of your choice](https://jsfiddle.net/3gk8u8wu/3/). Since this attack uses client-side caching, it's actually quite reliable.
@ -215,11 +218,11 @@ Try to add a **`callback`** **parameter** in the request. Maybe the page was pre
### Easy \(useless?\) bypass
You can ask a web-application to make a request for you and send back the response. This will bypass the the **`Access-Control-Allow-Origin`** but notice that the **credentials to the final victim won't be sent** as you will be **contacting a different domain** \(the one that will make the request for you\).
You can ask a web-application to make a request for you and send back the response. This will bypass the **`Access-Control-Allow-Origin`** but notice that the **credentials to the final victim won't be sent** as you will be **contacting a different domain** \(the one that will make the request for you\).
#### [CORS-escape](https://github.com/shalvah/cors-escape)
CORS-escape provides a **proxy** that **passes** on our **request** along with its **headers**, and it also **spoof** the **Origin** header \(Origin = **requested domain**\). So the **CORS policy is bypassed**.
CORS-escape provides a **proxy** that **passes** on our **request** along with its **headers**, and it also **spoofs** the **Origin** header \(Origin = **requested domain**\). So the **CORS policy is bypassed**.
The source code is [on Github](https://github.com/shalvah/cors-escape), so you can **host your own**.
```javascript