I can haz cookies!I still don't know how did I miss this, but it's just a one-line change:
xhr.withCredentials = "true";That's it. With this flag set:
- CORS simple requests will include cookies / HTTP auth
- CORS preflighted requests will ask for permission to include them
|"Take those cookies to your grandma", said The Browser|
- Victim logs in to victim.whatever.com website
- He receives a session cookie for future requests
- In the same browser session (e.g. 2nd tab) he visits attacker.reallybad.ly website
"Browser, I really need you to send this tiny little harmless POST to victim"
- Browser treats this as a simple CORS request, so it attaches the cookie for victim domain to it and sends it.
"Hey, JS! It's a request to another domain - what are you up to? Oh, just a POST request? No custom headers? Sure thing, here are the cookies and I wish you a pleasant journey!"
- victim app receives the POST file upload with the cookie, so it processes the upload and responds.
"What's this weird Origin header pointing to attacker.reallybad.ly? It must be the new kid in town, but who am I to know?"
- Browser looks at the response and, not having appropriate CORS response headers, discards the response.