Cross-Origin Resource Sharing II

This exercise covers Cross-Origin Resource Sharing and how it can be used to get access to sensitive data.

< 1 Hr.
Orange Badge


The course delves into the fundamentals of the Same-Origin Policy (SOP) and how developers often attempt to bypass this restriction using techniques like JSONP. However, this approach has its limitations and risks, leading to the adoption of CORS. By using HTTP headers, CORS allows or denies requests based on the `Origin` header, enabling safer cross-origin requests.

The main focus of the course is on identifying and exploiting weak CORS policies. Specifically, it examines the use of wildcards in the `Access-Control-Allow-Origin` header and the practice of echoing back the `Origin` header from the request. These misconfigurations can allow an attacker to perform authenticated requests on behalf of a user and access sensitive data. Through hands-on exercises, the course walks you through creating a malicious HTML page to exploit these weaknesses and retrieve data from an API.

Want to learn more? Get started with PentesterLab Pro! GO PRO