Object Moved

This document may be found here Processing Rogue Cross Origin Request - Insecure Demo
More Demos

Processing Rogue Cross Origin Request - Insecure Demo

processCOR.php located at www.andlabs.net is supposed to be accessible only from www.andlabs.org.
However the page is executed irrespective of the site making the Cross Origin Request.
Only the response is not accessible to sites other than www.andlabs.org.

In place of the date function there could be some other code that is very resource intensive to execute which can be abused by rogue JavaScript.

PHP Source of http://www.andlabs.net/html5/processCOR.php:

    echo date('l jS \of F Y h:i:s A');
    header('Access-Control-Allow-Origin: http://www.andlabs.org');


To make a request to this page from www.andlabs.org and view the response click here.

Try making the same request from some other domain and capture the response in a proxy. It can be seen that response is the same as the one below.

Based on the COR examples from Mozilla and Arun Ranga