# Cross-Origin Resource Sharing

## Introduction

Initially Ajax requests have traditionally been restricted by the Same Origin Policy which only allowed them to make request to resources within the same domain. HTML5 breaks this restriction and allows for Ajax requests to be made across domains.Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources on a web page to be requested from another domain.

## How to test?

### Type 1

The implemented Cross Origin Resource Sharing (CORS) allows wildcard ( \* ) as a response in header "Access-Control-Allow-Origin" which may lead to leaking of sensitive data to unauthorized locations as the origin header is not configured with exact domains. It Leads to an Misconfigured CORS

#### Steps

1. Go to the respective site (eg: <http://192.168.56.102/bWAPP/secret-cors-1.php>)
2. Open Burp suite Community Edition. Here, is the [Blog](https://portswigger.net/burp/documentation/desktop/penetration-testing/configuring-your-browser) to configuration on your browser.
3. In burp suite, go to proxy tab and go to HTTP history. Then sent any request to the repeater by right click on the packet.

![](/files/-M-sg5s8Xurp0GOOCS3v)

![](/files/-M-sgArPP5SW2jW88avV)

### Type 2

In Request Whatever domain for eg:[www.example.com](http://www.example.com) should not reflect in the Access-Control-Allow-Origin response header.

{% tabs %}
{% tab title="Request" %}

```
GET /bWAPP/secret-cors-1.php HTTP/1.1
Host: 192.168.56.102
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:70.0) Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Origin: www.example.com
Cookie: security_level=0; PHPSESSID=ott1h8b6hliiqbga7khh2pm430; acopendivids=swingset,jotto,phpbb2,redmine; acgroupswithpersist=nada
Upgrade-Insecure-Requests: 1
```

{% endtab %}

{% tab title="Response" %}

```
HTTP/1.1 200 OK
Server: Apache/2.2.14 (Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.30 with Suhosin-Patch proxy_html/3.0.1 mod_python/3.3.1 Python/2.6.5 mod_ssl/2.2.14 OpenSSL/0.9.8k Phusion_Passenger/4.0.38 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.2-1ubuntu4.30
Access-Control-Allow-Origin: www.example.com
Vary: Accept-Encoding
Content-Length: 51
Connection: close
Content-Type: text/plain
```

{% endtab %}
{% endtabs %}

### Type 3

We can exploit the CORS when the domain for eg: [www.example.com](http://www.example.com) in Access-Control-Allow-Origin response header which is given in the Origin Header and when Access-Control-Allow-Credentials: true is present.

{% tabs %}
{% tab title="Request" %}

```
GET /bWAPP/secret-cors-1.php HTTP/1.1
Host: 192.168.56.102
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:70.0) Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Origin: www.example.com
Cookie: security_level=0
```

{% endtab %}

{% tab title="Response" %}

```
HTTP/1.1 200 OK
Server: Apache/2.2.14 (Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.30 with Suhosin-Patch proxy_html/3.0.1 mod_python/3.3.1 Python/2.6.5 mod_ssl/2.2.14 OpenSSL/0.9.8k Phusion_Passenger/4.0.38 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.2-1ubuntu4.30
Access-Control-Allow-Origin: www.example.com
Access-Control-Allow-Credentials: true
Vary: Accept-Encoding
Content-Length: 51
Connection: close
Content-Type: text/plain
```

{% endtab %}
{% endtabs %}

## Solution

To use a whitelist of trusted domains for eg: [www.example.com](http://www.example.com) rather than using a wildcard or programmatically verifying supplied origins.i.e Origin header Should be validated with the specified domain like if the origin header matches '<http://example.com>'. If yes, it returns Access-Control-Allow-Origin: <http://example.com>.&#x20;


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://sumeru.gitbook.io/sumeru-cyber-security/common-vulnerabilites/cors.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.