Getting ready
For this recipe, we will use the Damn Vulnerable Web Services. It can be downloaded from its GitHub address at https://github.com/snoopysecurity/dvws. Download the latest version and copy it to the OWASP BWA virtual machine (or download it straight to it); we will put the code in /var/www/dvwebservices/.
This code is a collection of vulnerable web services made with the purpose of security testing; we will modify one of them to make it less vulnerable. Open the /var/www/dvwebservices/vulnerabilities/cors/server.php file with a text editor; it may be nano, included by default in the VM: nano /var/www/dvwebservices/vulnerabilities/cors/server.php
Look for all the instances where the Access-Control-Allow-Origin header is set and ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access