More Demos

Processing Rogue Cross Origin Request - Insecure Demo

processCOR.php located at is supposed to be accessible only from
However the page is executed irrespective of the site making the Cross Origin Request.
Only the response is not accessible to sites other than

In place of the date function there could be some other code that is very resource intensive to execute which can be abused by rogue JavaScript.

PHP Source of

    echo date('l jS \of F Y h:i:s A');


To make a request to this page from and view the response click here.

Try making the same request from some other domain and capture the response in a proxy. It can be seen that response is the same as the one below.

Based on the COR examples from Mozilla and Arun Ranga