Bypassing CORS

Saad Ahmed
Aug 1, 2019 · 2 min read

Hello friends this write-up is about how I bypassed the CORS validation. Let assume the website name redact.com. Simply I logged into the website checked for CSRF attack but there was a Current Password pram which means if I am able to bypass, there is a CSRF protection. I still need the victim’s current password to exploit it

Then I saw..

Access-Control-Allow-Origin: https://redact.com

Access-Control-Allow-Credentials: true

I tried to set the attacker.com in the Origin header but didn’t worked out I tried by adding another Origin header it also failed basically the server was checking the Origin header value like this

Image for post
Image for post

So we can simply trick the server to bypass that validation by setting the Origin header value to redact.com.attacker.com.

Image for post
Image for post

Simply tried this on the redact.com & it worked.

Image for post
Image for post

Loading the Account-Detail page from Evil origin to steal the information

Image for post
Image for post

Send that fetch request to steal the account information page & display it on the evil.com

Image for post
Image for post

Boom data steal I hope you guys like it.

./LOGOUT

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store