coelner/hacktricks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update cors-bypass.md

Browse Source 
grammar
This commit is contained in:
GO 2022-07-19 15:57:21 +01:00 committed by GitHub
parent f42f349adc
commit a14105e3b2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pentesting-web/cors-bypass.md
View File

@ -136,7 +136,7 @@ One notable exception is when the **victim's network location functions as a kin
### Reflected `Origin` in `Access-Control-Allow-Origin`
In the real world this cannot happen as **these 2 values of the headers are forbidden together**.\
It is also true that a lot of developers want to **allow several URLs in the CORS**, but subdomain wildcards or lists of URLs aren't allowed. Then, several developers **generates** the \*\*`Access-Control-Allow-Origin`\*\*header **dynamically**, and in more than one occasion they just **copy the value of the Origin header**.
It is also true that a lot of developers want to **allow several URLs in the CORS**, but subdomain wildcards or lists of URLs aren't allowed. Then, several developers **generate** the \*\*`Access-Control-Allow-Origin`\*\*header **dynamically**, and in more than one occasion they just **copy the value of the Origin header**.
In that case, the **same vulnerability might be exploited.**