CORS Bypass

Share on :

Cross-Origin Resource Sharing (CORS) is a mechanism that uses additional HTTP headers to tell browsers to give a web application running at one origin, access to selected resources from a different origin. A web application executes a cross-origin HTTP request when it requests a resource that has a different origin (domain, protocol, or port) from its own.

There are mainly 2 headers that we are interested in :

allow-content-allow-origin :

By default, cross origin ajax requests are blocked by the browser, but what this header does in allowing certain origin/s to make unauthenticated requests to the origin responding with the header

allow-content-allow-credentials :

Even if allow-content-allow-origin is set to allow you fetching data from the responding origin, you can't send HTTP cookies along with the requests, so what allow-content-allow-credentials header does is allowing you to send HTTP cookies with the request

Misconfigurations :

  • If the allow-content-allow-origin is set to * this means that it'l accept requests from any other origin
  • If the allow-content-allow-origin is set to a dynamically assigned value this can be manipulated by the user granting themself the privilege of fetching data from the responding origin
  • If allow-content-allow-credentials is set to True this means that you can fetch authenticated user's data if you make requests using their browser.

Refrences