More Demos

Access Control based on Origin Header - Insecure Demo

acCOR.php located at reveals sensitive information to COR from
CORs from other websites are not permitted and even accessing the page directly only reveals a normal page with no sensitive information.

This page uses only the Origin header as an Access Control parameter.
This can be easily compromised by spoofing the Origin header with a client-side program like wget.

Eg: wget --header="Origin:"

PHP Source of

    if($_SERVER['HTTP_ORIGIN'] == "")
        echo "This is sensitive information only available to requests from";
        echo "This is just a normal page with no sensitive information";


To make a request to this page from and view the response click here.

Based on the COR examples from Mozilla and Arun Ranga