jub0bs

Here is another account of a subdomain takeover based on AWS Elastic Beanstalk: https://twitter.com/payloadartist/status/1362035009863880711

A useful resource for creating a PoC: https://godiego.tech/posts/STO-AWS/

@Phoenix1112 I believe so: according to the AWS CLI, the environment name is available: ```shell $ aws elasticbeanstalk check-dns-availability --region eu-west-1 --cname-prefix uzk2i9mkth { "Available": true, "FullyQualifiedCNAME": "uzk2i9mkth.eu-west-1.elasticbeanstalk.com" } ```...

@sinclas It would be interesting to see the problematic preflight request and its response.

@localvar The behaviour you're observing is normal. CORS is only a mechanism for instructing the browser to selectively relax some of the Same-Origin Policy's restrictions on network access from a...

@colinclerk > a cookie set to `SameSite=Lax` won't be included with the cross-origin request. That entirely depends on whether the issuing origin is _same-site_ with respect to the target origin....

@grovertb > We have a backend service that consumes directly from a microservice endpoint in which it does not have ORIGIN If the user agent (your backend service) is not...

Note that [Web origins](https://developer.mozilla.org/en-US/docs/Glossary/Origin) do not contain a path. But I agree with you that a trailing wildcard is a terrible footgun; for instance, `https://example.*` would match Web origin `https://example.attacker.com`.

Mistaking an `OPTIONS` request as a preflight request is a recurring problem in CORS middleware. However, not all `OPTIONS` requests are preflight requests.

I'm curious about this... I believe that this functionality is a potentially dangerous misfeature. What are actual use cases? What kind of information about the request do you need? Note...