3 –ì‚Éç‚–¼–³‚µ@“]Ú‹ÖŽ~ (Žå) 2023/09/07 02:20:31
CORS Bypass‚à
Partridge further explained that the PoC bypasses existing CORS (Cross-Origin Resource Sharing) protections on web browsers because the requests are sent to the Atlas VPN API as form submissions.
"Form submissions are exempt from CORS for legacy/compatibility reasons, they're considered a "simple request" by the CORS spec," Partridge told BleepingComputer.
Normally, CORS would block requests made by scripts in web pages to different domains than the origin domain. In the case of this exploit, it would be requests made by any website to a visitor's localhost at "http://127.0.0.1:8076/connection/stop."
However, Partridge explained to BleepingComputer that using a form submission to "bypass" CORS would not allow a website to see any response from the form submission.