Pentesting CORS
Give me all your cookies! OK.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Related Stories: Penetration Testing
💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Have you ever tried to create a micro-service on one domain that displays web content, and then access it from another domain but got an error saying that it wasn’t allowed? This error message was possibly due to a CORS (Cross-Origin Resource Sharing) policy. Web browsers try to prevent one website from loading data from another web site without permission to protect sensitive data. The browser only retrieves the data if the website has a CORS policy that allows that other domain to do so. Sometimes developers get this error and fix it by allowing any other website to make requests via a CORS misconfiguration (via a * for the allowed domains in the CORS policy). Pentesters can look for issues in CORS policies to try to obtain sensitive data and take otherwise unauthorized actions.