mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-19 19:06:12 +00:00
CORS Fix typo
This commit is contained in:
parent
d6feb565ce
commit
4a63544b75
@ -136,12 +136,16 @@ https://trusted-origin.example.com/?xss=<script>CORS-ATTACK-PAYLOAD</script>
|
|||||||
|
|
||||||
### Vulnerable Example: Wildcard Origin `*` without Credentials
|
### Vulnerable Example: Wildcard Origin `*` without Credentials
|
||||||
|
|
||||||
If the server responds with a wildcard origin `*`, the browser does never send
|
If the server responds with a wildcard origin `*`, **the browser does never send
|
||||||
the cookies. However, if the server does not require authentication, it's still
|
the cookies**. However, if the server does not require authentication, it's still
|
||||||
possible to access the data on the server. This can happen on internal servers
|
possible to access the data on the server. This can happen on internal servers
|
||||||
that are not accessible from the Internet. The attacker's website can then
|
that are not accessible from the Internet. The attacker's website can then
|
||||||
pivot into the internal network and access the server's data withotu
|
pivot into the internal network and access the server's data without authentication.
|
||||||
authentication.
|
|
||||||
|
```powershell
|
||||||
|
* is the only wildcard origin
|
||||||
|
https://*.example.com is not valid
|
||||||
|
```
|
||||||
|
|
||||||
#### Vulnerable Implementation
|
#### Vulnerable Implementation
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user