0

I tried to make cross-domain ajax request, always getting 0 status response, and now, seems understand what was the problem. On the site side, there can be a list of domains that can send request to it. It is set by the next way, as far as I understood:

Access-Control-Allow-Origin: http://example.com

And as I understand, when I make request to another domain, browser automatically adds to request’s header value Origin, that contains the domain, where request came from.

So, will the server will be tricked, if to change that header value, and how can that be done?

<?php

$url = $_POST['url'];

$options = array(
'http' => array(
    'header'  => "Content-type: application/x-www-form-urlencoded\r\n",
    'method'  => 'POST',
    'content' => $_POST['data']
)
);
$context  = stream_context_create($options);
$result = file_get_contents($url, false, $context);
if ($result === FALSE) 
 echo('error');
else
 echo($result);


?>
Artur
  • 325
  • 2
  • 16
  • @LawrenceCherone by server side You mean on the another server I need to send request or in my server? – Artur Sep 10 '20 at 19:33
  • @LawrenceCherone also, I am actually using not a browser but a WinApi program with Chromium WebView on it – Artur Sep 10 '20 at 19:35
  • CORS is a browser thing and Chromium WebView is a browser, use anything other than a browser and it won't be blocked, server-side code, postman, curl, wget will all work without issue. – Lawrence Cherone Sep 10 '20 at 19:35
  • @LawrenceCherone okay what if I create a php script on my domain, that will send post request (seems, there is a way to make http-request via php). Can I sett custom `Origin` via php? If yes, then, from my site, to make cross-domain request I will make request to that script on my domain, and it will send cross-domain request? – Artur Sep 10 '20 at 19:40
  • Yeah exactly that, use a serverside script to make a remote request. You won't even need set headers but you can if you want the request to look exactly like a browser and not a php script. Closing as dupe. – Lawrence Cherone Sep 10 '20 at 19:42
  • @LawrenceCherone seems, I have been trying something similar, but I will try again, thank You – Artur Sep 10 '20 at 19:44
  • np search `php cors proxy` your find a few offsite resources, watch out for LFI vulnerable ones though, you must check the domain does not include `file://` else its trivial to load up files from the server. – Lawrence Cherone Sep 10 '20 at 19:45
  • @LawrenceCherone may I waste a little bit more Your time? I am stupid and, earlier, using method with php script just passed nonencoded parameters. Now it works, but site returns the page where it wrote that my browser doesn’t support cookies (I send that request via iPhone). I should do something with request header? (Added code of php script) – Artur Sep 10 '20 at 20:10
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/221289/discussion-between-artur-and-lawrence-cherone). (Missclicked, nevermind) – Artur Sep 10 '20 at 20:14
  • @LawrenceCherone seems I should use something like this https://stackoverflow.com/q/26225462/12450770 – Artur Sep 10 '20 at 20:15
  • yeah curl is a better choice, it's also faster than fgc, just be careful of `file://` as previously mentioned – Lawrence Cherone Sep 10 '20 at 20:17
  • @LawrenceCherone understood what do You mean by `file://`, I only need to access `http://auto.vsk.ru/login.aspx` – Artur Sep 10 '20 at 20:21
  • `$_POST['url']` is user-supplied, a hacker could trivially craft a post request in postman etc and set url to `file://index.php` or `file://../../../../etc/passwd` etc and load files from your server, not only that they could use your script as a proxy to attack other sites.. if your only wanting to login to one site then you should specifically define that as the url not allow the user to change it. – Lawrence Cherone Sep 10 '20 at 20:24
  • @LawrenceCherone aga, so I have to add to my script a ban on accessing domains with `file://`? – Artur Sep 10 '20 at 20:28
  • yeah or use rewrites and forward everything after say `/vsk-proxy/*` to `http://auto.vsk.ru/*` then you can do a post request to `/vsk-proxy/login.php` and it will send it through to `http://auto.vsk.ru/login.php`, use cookie a jar to maintain the session, perhaps with additional response headers with session-id/cookie-jar-id locking as all users would use same cookie jar otherwise. It's quite abit of code to make it fully flexible – Lawrence Cherone Sep 10 '20 at 20:37
  • @LawrenceCherone thank You a lot, Your feedback is very helpful – Artur Sep 10 '20 at 20:53

0 Answers0