This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Test Cross Origin Resource Sharing (OTG-CLIENT-007)

From OWASP
Revision as of 19:31, 9 October 2013 by Jgaliana (talk | contribs) (added brief summary)

Jump to: navigation, search 
This article is part of the new OWASP Testing Guide v4.

Back to the OWASP Testing Guide v4 ToC:
   https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
Back to the OWASP Testing Guide Project:
   https://www.owasp.org/index.php/OWASP_Testing_Project


Brief Summary

Cross Origin Resource Sharing or CORS is a mechanism that enabled a browser to perform "cross-domain" requests using the XMLHttpRequest L2 API in a controlled manner. In the past, XMLHttpRequest L1 API only allowed requests with the same origin, and you were limited by the same origin policy for communication through this API.

Cross-Origin requests have a Origin header, that identifies the origin and is always sent to the server CORS defines the protocol to use between a web browser and a server to determine whether a cross-origin request is allowed. In order to accomplish that, there are few HTTP headers involved in this process, that are supported by all major browsers and we cover later including: Origin, Access-Control-Request-Method, Access-Control-Request-Headers, Access-Control-Allow-Origin, Access-Control-Allow-Credentials, Access-Control-Allow-Methods, Access-Control-Allow-Headers.

The CORS specification mandates that for non simple requests, such as requests other than GET or POST or requests that uses credentials, a pre-flight OPTIONS request must be sent in advance to check if the type of request will have a bad impact on the data. The pre-flight request checks the methods, headers allowed by the server, and if credentials are permitted, based on the result of the OPTIONS request, the browser decides whether the request is allowed or not.

Description of the Issue


...here: Short Description of the Issue: Topic and Explanation

Black Box testing and example

Testing for Topic X vulnerabilities:
...
Result Expected:
...

References

Whitepapers
...
Tools
...

Retrieved from "https://wiki.owasp.org/index.php?title=Test_Cross_Origin_Resource_Sharing_(OTG-CLIENT-007)&oldid=160066"