Reputation: 1300
How to disable Fiddler from posting XmlHttpRequests?
Maybe my question has both the parts , how does fiddler overcome CORS and posts requests ? Is it something that our application at the server is allowing it to ?
Upvotes: 0
Views: 50
Answers (1)
Reputation: 57075
To better understand Same-Origin-Policy, and why browsers need CORS, see this article: http://blogs.msdn.com/b/ieinternals/archive/2009/08/28/explaining-same-origin-policy-part-1-deny-read.aspx
Yes, you can send requests to any origin from your server:
Couldn’t the attacker’s server simply make a direct request to the victim server?
A key point in all of this is that abusing the user’s browser to load content from the victim server sends that user’s authentication (cookies, credentials, etc) to the victim server. The attacker needs these credentials to be sent to the victim server in order to get access to content worth stealing.
Stated another way, if the attacker could directly download protected resources from
yourbank.comwithout using your browser, he absolutely would do so. But he can’t, because only your browser has the cookies and credentials that yourbank.com requires in order to return protected content.
Upvotes: 1
Related Questions
- How to filter out POST requests in fiddler by Body?
- how to disable the fiddler capturing my web application
- How to turn off Fiddler breakpoints
- How to create a Post request in Fiddler
- check POST request with Fiddler
- fiddler script send http request
- How to make Fiddler show POST method only in many requests
- How to stop Fiddler 2 from logging requests made from web browsers and other applications?
- Web security - Preventing post requests from tools like fiddler
- Identify a POST Request in Fiddler JavaScript