XXE Injections
Abusing XML Parsers
The Same Origin Policy restricts XHR and Fetch requests from accessing content on different origins.
The purpose of SOP is not to prevent the request for a resource from being sent, but to prevent JavaScript from reading the response. This why we can proxy a request through burp and see the response in burp but not in the developer console.
For example:
https://donkey.com/ can talk to https://donkey.com/donkey_breed but not to https://hooves.com/.
To further illustrate:
URL | RESULT | REASON |
---|---|---|
https://a.com/myInfo | Allowed | Origin |
http://a.com/users.json | Blocked | Different Scheme and Port |
https://api.a.com/info | Blocked | Different Domain |
https://a.com**:8443**/files | Blocked | Different Port |
https://b.com/analytics | Blocked | Different Domain |
Without the same-origin policy any website we visit could:
The Cross-origin resource sharing CORS specification was introduced to allow developers to relax the same-origin policies, to do things such as access data via an api, for example.