SOP and Its Quirks
Same Origin Policy // CORS Bypass
Last updated
Same Origin Policy // CORS Bypass
Last updated
SOP prevents responses of different origin from being displayed; When performing a cross-site-request-forgery with AJAX, cookies are not sent along with the request. -> So, the usage of <XMLHTTPRequest > for example is not possible for an attack.
If the cross origin website has URLs that are dangerous just by sending a GET request, this can be abused using <img> or <iframe> tags to embedded the exploitable URL, as cookies are sent along with this.
Problems:
XMLHttpRequest().send() does not include cookies with it, making it impossible for a Cross Origin Attack.
<img> or <iframe> does include cookies, but no private response data is returned.
Solution and Exploit:
Just look for URLs that can be exploited just by requesting it, such as /profile/admin/1/delete.
This method allows GET and POST requests as seen below.
*Note: Post request made this way <inside of a form> will always send data as urlencoded-data
Prevention:
Usage of CSRF token.
-> CORS can get data & most of the time wont have CSRF token (wants it to be accessed cross site) -> CSRF can execute functions (and get no data) from different site if not protected by CSRF tokens -> XSS can execute function and get data so CSRF token doesnt matter -> BUT if csrf token present, reflected xss will not work.
CORS will only be able to get response from allowed directories/URLS with `Access-Control-Allowed-Origin:<Requesting Site> & Access-Control-Allow-Credentials` header
XSS only needs 1 hole, and can act as the user whole site and get response from all URL as it will be from same site
CSRF needs every function to be vulnerable/missing CSRF tokens
If this doesn't make sense to you, just go watch LiveOverflow's video below; I took these notes out mostly from this video anyway :)
Live OverFlow [ CSRF Introduction and what is the Same-Origin Policy? - web 0x04 ]
