Welcome!

Welcome to the 1337pwn community forums. Register now for an account.

Registration is free!

Register Now

Announcement

Collapse
No announcement yet.

Bypassing Same-Origin Policy (SOP)

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Bypassing Same-Origin Policy (SOP)

    I will show you how to bypass Same-Origin Policy (SOP).

    For those of you who don't know what is SOP, it is:

    The same-origin policy is a critical security mechanism that restricts how a document or script loaded from one origin can interact with a resource from another origin. It helps isolate potentially malicious documents, reducing possible attack vectors.
    You may bypass this restraint through JSONP endpoints using a callback parameter.

    JSONP is a method for sending JSON data without worrying about cross-domain issues.
    JSONP does not use the XMLHttpRequest object.
    JSONP uses the <script> tag instead.

    Thus, if you discovered a JSONP endpoint with a callback parameter, you may make a HTML file:
    Code:
    <div id='div1'></div>
    <script type='text/javascript'>
          function myCallback(data)
                { document.getElementById('div1').innerHTML =
    Object.values(data); }
    </script> <script src='https://www.sitediscovered.com
    /JSONPEndpoint?callback=myCallback'>
    </script>
    You can see that I utilized Object.values(data) to obtain the response. So you could also attempt using JSON.parse() and JSON.stringify() functions.

    This HTML file will request the endpoint and you shall be able to read the response values.

    Remember that if you don't see a callback parameter, you may still attempt to locate that particular parameter.

    Occasionally, a response may include valuable information.

Working...
X