Burp Suite User Forum

Login to post

for clearing doubts regarding paragraph in CORS article https://portswigger.net/web-security/cors

sanjogc | Last updated: Aug 12, 2022 01:41PM UTC

Intranets and CORS without credentials Most CORS attacks rely on the presence of the response header: Access-Control-Allow-Credentials: true "Without that header, the victim user's browser will refuse to send their cookies, meaning the attacker will only gain access to unauthenticated content, which they could just as easily access by browsing directly to the target website." The quoted sentence is little bit confusing to me because the absence of ACAC header means user cannot read the response(authenticated) but the line says the browser wont even send cookies. It would be true only if it was preflight response. please correct me if i am wrong.. i am currently learning CORS

Michelle, PortSwigger Agent | Last updated: Aug 15, 2022 02:28PM UTC

If a website returns: Access-Control-Allow-Origin: * This doesn’t make it vulnerable unless you have Access-Control-Allow-Credentials: true. I hope this helps to explain things a bit more and that we've understood your query correctly. You might also find this page useful for some further reading: https://portswigger.net/web-security/cors/access-control-allow-origin

You need to Log in to post a reply. Or register here, for free.