ET /sensitive-victim-data HTTP/1.
1
G TTP/1.1 200 OK
H
Host: [Link] Access-Control-Allow-Origin: [Link]
Origin: [Link] Access-Control-Allow-Credentials: true
ACAO Cookie: sessionid=... ...
grants access to all domains ending in [Link]
Errors parsing Origin headers
ttacker might be able to gain access by
a
registering the domain [Link]
ET /sensitive-victim-data
G TTP/1.1 200 OK
H
Host: [Link] Access-Control-Allow-Origin: null
Origin: null Access-Control-Allow-Credentials: true
ome applications might whitelist the null origin
S
to support local development of the application
Cross-origin redirects
Whitelisted null origin value Requests from serialized data
rowsers might send the value null in the
B
Origin header in various unusual situations
Request using the file: protocol
CORS
Sandboxed cross-origin requests
or example, this can be done using a sandboxed
F
Created by @mehdi0x90 iframe cross-origin request of the form
Exploiting XSS via CORS trust relationships
Breaking TLS with poorly configured CORS
ET /reader?url=[Link]
G
Host: [Link] TTP/1.1 200 OK
H
Origin: [Link] Access-Control-Allow-Origin: *
Intranets and CORS without credentials he application server is trusting resource requests from any origin without
T
credentials. If users within the private IP address space access the public
internet then a CORS-based attack can be performed from the external site
that uses the victim's browser as a proxy for accessing intranet resources.
