This commit is contained in:
Heeryong Kang 2020-04-22 16:09:18 +09:00 committed by GitHub
parent bf73393921
commit c2b8018617
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -131,7 +131,7 @@ https://trusted-origin.example.com/?xss=<script>CORS-ATTACK-PAYLOAD</script>
### Vulnerable Example: Wildcard Origin `*` without Credentials ### Vulnerable Example: Wildcard Origin `*` without Credentials
If the server responds with a wildcard origin `*`, the browser does never send If the server responds with a wildcard origin `*`, the browser does never send
the cookies. Howver, if the server does not require authentication, it's still the cookies. However, if the server does not require authentication, it's still
possible to access the data on the server. This can happen on internal servers possible to access the data on the server. This can happen on internal servers
that are not accessible from the Internet. The attacker's website can then that are not accessible from the Internet. The attacker's website can then
pivot into the internal network and access the server's data withotu pivot into the internal network and access the server's data withotu