Collaborate Disseminate
I found a website which is vulnerable to cors.(https://portswigger.net/web-security/cors)
GET /api/requestApiKey HTTP/1.1.
Host: vulnerable-website.com.
Origin: https://evil.com.
AUTHENTICATION: eyssdsdsdsasa…..
And the server responds … Continue reading CORS attack using authentication token
When loggin in to a website, A Bearer token is generated and echoed back from the server in a JSON reponse. After this, each request sends the generated token in the Authorization: BEarer header.
However, there is a API endpoint which ref… Continue reading CORS request is not sending Authorization: Bearer <value> header
Modern browsers don’t allow cross-origin requests – those must be explicitly allowed by CORS headers. But looking at Java back ends like Tomcat/Spring MVC I see that it’s possible to reject requests from other origins on server side.
Since… Continue reading Do we need to check for cross-origin on server side?
Sometimes when checking whether requests are cross-origin, applications check whether the origin contains the whitelisted domain. This makes it possible to bypass the white-listing by including the whitelisted value in the subdomain.
E.g. … Continue reading How to get my exploit script served on arbitrary subdomain?
Sometimes when checking whether requests are cross-origin, applications check whether the origin contains the whitelisted domain. This makes it possible to bypass the white-listing by including the whitelisted value in the subdomain.
E.g. … Continue reading How to get my exploit script served on arbitrary subdomain?
"The HTTP Cross-Origin-Opener-Policy (COOP) response header allows you to ensure a top-level document does not share a browsing context group with cross-origin documents."
In a situation where www.attacker.com opens www.tagetwebs… Continue reading What is the difference between Cross Origin Opener Policy and SOP?
While reviewing an SPA web application the backend API server was reflecting the Origin header from a credentialed request in the Access-Control-Allow-Origin header of the response with Access-Control-Allow-Credentials set to true.
I don’t… Continue reading Origin header reflected in ACAO header with ACAC set to true on an API
I’ve found bug in a moderately known company when I started my bug bounty career, 7 months ago, since then I’ve found other bugs and received bounty for them on other companies, but this first company fixed the bug and promised me they’ll … Continue reading Bug bounty programme ignoring me after promising a bounty for 7 months now, not paying me as well [closed]
I’ve found bug in a moderately known company when I started my bug bounty career, 7 months ago, since then I’ve found other bugs and received bounty for them on other companies, but this first company fixed the bug and promised me they’ll … Continue reading Bug bounty programme ignoring me after promising a bounty for 7 months now, not paying me as well [closed]
I’m testing a web application and burp detected this issue:
Cross-origin resource sharing: arbitrary origin trusted
Looking at the response, I only see this header:
Access-Control-Allow-Origin: https://www.evil.com
Considering the lack of … Continue reading CORS without Access-Control-Allow-Credentials