SOP and Its Quirks

Same Origin Policy // CORS Bypass

TLDR;

1. SOP prevents responses of different origin from being displayed; When performing a cross-site-request-forgery with AJAX, cookies are not sent along with the request. -> So, the usage of <XMLHTTPRequest > for example is not possible for an attack.

2. If the cross origin website has URLs that are dangerous just by sending a GET request, this can be abused using <img> or <iframe> tags to embedded the exploitable URL, as cookies are sent along with this.

Problems:

XMLHttpRequest().send() does not include cookies with it, making it impossible for a Cross Origin Attack.

<img> or <iframe> does include cookies, but no private response data is returned.

Solution and Exploit:

Just look for URLs that can be exploited just by requesting it, such as /profile/admin/1/delete.

This method allows GET and POST requests as seen below.

GET request with Iframe.

*Note: Post request made this way <inside of a form> will always send data as urlencoded-data

Prevention:

Usage of CSRF token.

CSRF, CORS, XSS Differences

-> CORS can get data & most of the time wont have CSRF token (wants it to be accessed cross site) -> CSRF can execute functions (and get no data) from different site if not protected by CSRF tokens -> XSS can execute function and get data so CSRF token doesnt matter -> BUT if csrf token present, reflected xss will not work.

• CORS will only be able to get response from allowed directories/URLS with `Access-Control-Allowed-Origin:<Requesting Site> & Access-Control-Allow-Credentials` header

• XSS only needs 1 hole, and can act as the user whole site and get response from all URL as it will be from same site

• CSRF needs every function to be vulnerable/missing CSRF tokens

Reference;

If this doesn't make sense to you, just go watch LiveOverflow's video below; I took these notes out mostly from this video anyway :)

Live OverFlow [ CSRF Introduction and what is the Same-Origin Policy? - web 0x04 ]