I am very confused in origin header while exploiting CORS. Actually origin header comes automatically while making cross domain request. yeah! right but..
what if "i send a html page of XHR request from let's say attackerIP.com to the victim with making credential:true request to exploiting the cors vulnerability, then what origin header will be there at the time of victim clicks. I mean, Is it the attackerip.com or other origin (when the user clicks?) ?"
I hope you get my point..
Thank you
Aucun commentaire:
Enregistrer un commentaire