TL;DR If you can find an unrestricted CORS endpoint, that also responds to the HTTP override headers, then potentially you can use it to access endpoints that aren’t enabled for CORS, bypass CSRF protections, and also deliver an XST (which will give you access to cookies protected by the httpOnly attribute).
Did you look at the XST link at the bottom of the blog? There's a PoC site and a sample script you can use to see it work in practice. The will give you a grounding in combining the override headers and CORS in practice.
For CSRF, the principal is the same, but the detail will be different (as there are lots of approaches sites take for CSRF protections). So you just need to apply the principals to the challenge at hand.
So for example, if the site uses a cookie marked as httpOnly to transport the CSRF token (which the client then flips into a header in requests) you can use a site that is vulnerable to a method overide and which also responds to TRACE to get the CSRF token, which you can then replay in your attack.
Did you look at the XST link at the bottom of the blog? There's a PoC site and a sample script you can use to see it work in practice. The will give you a grounding in combining the override headers and CORS in practice.
For CSRF, the principal is the same, but the detail will be different (as there are lots of approaches sites take for CSRF protections). So you just need to apply the principals to the challenge at hand.
So for example, if the site uses a cookie marked as httpOnly to transport the CSRF token (which the client then flips into a header in requests) you can use a site that is vulnerable to a method overide and which also responds to TRACE to get the CSRF token, which you can then replay in your attack.
Awesome content. Lacking pocs. It may seem obvious to u but how do we actually use this to bypass CSRF protections?
thac