all InfoSec news logo
all InfoSec news - Your InfoSec news aggregator
Log in Sign up
all InfoSec news

Portswigger’s lab write up: CORS vulnerability with basic origin reflection

Add to bookmarks
Dec. 8, 2022, 3:29 a.m. | Christian Paez

DEV Community dev.to

In this apprentice-level lab, we will exploit a website with a basic CORS vulnerability to obtain a user's private credentials.


Upon logging in with the given credentials, we visit the account details page and check the response headers of the request to /accountDetails that fetches the user's API key:



HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Content-Type: application/json; charset=utf-8
Connection: close
Content-Length: 149

{
  "username": "wiener",
  "email": "",
  "apikey": "JQ7ufLKKzNoI4ahWKAKWBG5eP64wgwJW",
  "sessions": [
    "cdmflpOO6psYIp3novWUytbSDM9i68X1"
  ]
}



We can see that the Access-Control-Allow-Credentials: true …

basic cors lab origin portswigger vulnerability webdev writeup

Visit resource

More from dev.to / DEV Community

Install helm chart from ECR an hour ago | dev.to
abc aws aws ecr chart +10
Transitioning from Spring Security WebMvcConfigurer to SecurityFilterChain: A Seamless Migration Guide an hour ago | dev.to
applications date development evolution +14
Steps to Adding Google Login to Your React App 2 hours ago | dev.to
access access security account app +23
How to Create a Monitoring Dashboard for Your Azure-hosted VM or Website 2 hours ago | dev.to
azure azure security blog blog post +21
Setting up a Homelab: Part 1 Proxmox and LetsEncrypt 2 hours ago | dev.to
application applications breaking docker +11
Voxel51 Filtered Views Newsletter – April 26, 2024 3 hours ago | dev.to
agent ai april author +22
Beginner's Guide: Connecting to Your EC2 Instance Using AWS Systems Manager (SSM) 3 hours ago | dev.to
access access management aws aws systems manager +20
How Automated Supply Chain Supercharges ROI 5 hours ago | dev.to
automated automation businesses competitive +17
Software Design Principle: Inversion of Control(IOC) and Dependency Injection 6 hours ago | dev.to
ai angular computer computer hardware +18

Jobs in InfoSec / Cybersecurity

Post a job on infosec-jobs.com Find talent on infosec-jobs.com

SOC 2 Manager, Audit and Certification

@ Deloitte | US and CA Multiple Locations
View on infosec-jobs.com

Security Compliance Architect - Experian Health (Can be REMOTE from anywhere in the US)

@ Experian | ., ., United States
View on infosec-jobs.com

IT Security Specialist

@ Ørsted | Kuala Lumpur, MY
View on infosec-jobs.com

Senior, Cyber Security Analyst

@ Peloton | New York City
View on infosec-jobs.com

Cyber Security Engineer | Perimeter | Firewall

@ Garmin Cluj | Cluj-Napoca, Cluj County, Romania
View on infosec-jobs.com

Pentester / Ethical Hacker Web/API - Vast/Freelance

@ Resillion | Brussels, Belgium
View on infosec-jobs.com
View more jobs