Once we have the code in the server, we can browse the web service client at http://192.168.56.11/dvwebservices/vulnerabilities/cors/client.php and start our exercise. Remember to have a proxy such as Burp Suite or ZAP recording all the requests:
- First, let's take a look at the normal operation, by browsing to client.php. It shows a secret word generated by the server.
- If we go to the proxy, Burp Suite, in this case, we can see that the client makes a POST request to server.php. There are a few things to notice in this request, exemplified in the following screenshot:
- The Content-Type header is application/json, which means that the body is in the JSON format.
- The request's body is not in the standard HTTP request format ...