I am trying to replicate a CSRF attack locally.

I have a web app (ASP.NET MVC) running with a POST endpoint.
I have another web app running (same domain (localhost) but different port), that is running this:

    <script type="text/javascript">
        var xhr = new XMLHttpRequest();
        xhr.open('POST', 'https://localhost:44300/common/api/creditors/add', true);		
        xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");        

When I run the above app, I get this error:

Access to XMLHttpRequest at ‘https://localhost:44300/common/api/creditors/add‘ from origin ‘https://localhost:44322‘ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.

I don’t think my request is being pre-flighted, because it’s a simple request.

I also don’t think my app is CORS aware, which means it should accept the request, and execute it, and it’s just that my browser won’t show the response due to the same-origin policy.

I have put a breakpoint at the common/api/creditors/add endpoint, and it is not getting hit.

I’ve tested using Chrome with relaxed security using this, and I can hit my breakpoint in the endpoint, so I know the URL and the body of the request are ok:

"C:Program FilesGoogleChromeApplicationchrome.exe" --disable-web-security --ignore-certificate-errors --user-data-dir="C:/ChromeDevSession"

Why is the request being blocked?

Console tab:

r/webdev - Blocked by CORS policy

Network tab:

r/webdev - Blocked by CORS policy
r/webdev - Blocked by CORS policy

Source link

Write A Comment