Exploiting CORS

With a real-world example:

To understand CORS first we need to learn about same-origin.

When we browse any application that application server fetch data such as images, web pages from different locations on the same server or maybe from a different server on the internet. So to make this fetching securely server implements “same-origin policy”.

Same Origin Policy: If server set this then server can fetch data, only from the same server they have whitelisted in their same origin policy if they try to fetch data from a domain which is not whitelisted, their request will not be successful.

What do you mean by same-origin??

It is a combination of three parts.

· Port

· Protocol

· Host

So if A wants some data from B then A and B both must have the same port (80), host (example.com), and protocol (HTTP/https). When these three parts are the same, fetching can be successful in same-origin policy.

So, after implementing it we can achieve security but developer or application admin feels very restrictive to perform tasks on the web application. Because whitelisting each and every URL from you want to fetch the data is a hectic task for the developers. Therefore, to remove that restriction we can…