SOP vs CORS vs Preflight vs SameSite Cookies — A Guide for Bug Bounty Hunters

Hey this is Maruf Hosan aka 0xmaruf . lets jump on our topic

# SOP : same origin policy
is a browser security feature that blocks different origin to read data. by default it blocks different origin.

What is Different Origin?:
example: my site is https://example.com
https://evil.com — >different origin | different site
https://api.example.com → different origin | subdomain
http://example.com → different origin | different protocol
https://example.com:5000 → different origin | different port

# CORS: Cross origin Resource Sharing
allows which origin can read responses.
SOP blocks every different origin by default. but wait does CORS allow any origin? > if yes > which origin is allowed to read responses?.

CORS has two Headers
ACAO: Access Control Allow Origin > Defines which origin is allowed to read the response
ACAC: Access Control Allow Credentials > Allows javascript can read response or not
ACAC is has only one directive that is true and this is case sensitive.
Access Control Allow Credentials: true > tells the browser:
if credentials (cookies/auth) are used in a cross-origin request, JavaScript is allowed to read the response — but only if other CORS rule (like ACAO) also match.

# Preflight: preflight is also a browser security feature.
it makes an options request to the server before cross origin request.
when preflight triggers?
if cross origin request has any custom headers ex(Authorization, X-DDD-Token , etc )or Methods like (DELETE, PUT, PATCH, POST )
it will trigger Preflight.

request:

OPTIONS /profile/1
Access-Control-Request-Method: DELETE
Access-Control-Request-Headers: x-requested-with
Origin: https://from-evil-site.com

response:

HTTP/1.1 204 No Content
Access-Control-Allow-Origin: https://from-evil-site.com
Access-Control-Allow-Methods: GET, POST, PUT, DELETE
Access-Control-Allow-Headers: Authorization, Content-Type
Access-Control-Allow-Credentials: true
Access-Control-Max-Age: 600

Preflight = browser asking permission before sending a “risky” cross-origin request.

if cross origin request’ headers or method does not match with preflight’s response.
Browser will block that request.

# SameSite: is browser security feature. it tells browser Should I include cookie when the request comes from another website? in short cross origin request.

SamesSite has 3 directives
-> SameSite=Strict: cookies wont be included in cross origin request
-> SameSite=Lax: cookies will be included in top level navigation GET request only
What is Top Level navigation?: means the browser replaces the current page with a new page in the same tab.
Example: <a href=”https://bank.com/dashboard">Go to Dashboard</a>
remember cookie will be included in top level navigation GET request only.
(POST ,PUT, DELETE, OTHERS) method wont include cookies in cross site request.
-> SameSite=none: allows cookies in any cross origin request

that’s all for now.
i could write more about confusions when we combine all of them. but not today.
Say hi on twitter

SOP vs CORS vs Preflight vs SameSite Cookies — A Guide for Bug Bounty Hunters was originally published in System Weakness on Medium, where people are continuing the conversation by highlighting and responding to this story.