{"id":372,"date":"2017-07-05T03:33:48","date_gmt":"2017-07-04T22:03:48","guid":{"rendered":"http:\/\/www.geekboy.ninja\/blog\/?p=372"},"modified":"2017-07-06T17:14:42","modified_gmt":"2017-07-06T11:44:42","slug":"exploiting-misconfigured-cors-via-wildcard-subdomains","status":"publish","type":"post","link":"http:\/\/www.geekboy.ninja\/blog\/exploiting-misconfigured-cors-via-wildcard-subdomains\/","title":{"rendered":"Exploiting Misconfigured CORS via Wildcard Subdomains"},"content":{"rendered":"

In last post<\/a>\u00a0about CORS i explained the cases where and how we can detect the presence of CORS misconfiguration, so this post will cover the one of specific case from them.<\/span><\/p>\n

So last week while testing one of web application for CORS misconfiguration, i came across a scenario and this is how it looks like:<\/span><\/p>\n

Request 1#<\/strong><\/p>\n

GET \/settings HTTP\/1.1\r\nHost: www.site.com\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko\/20100101 Firefox\/53.0\r\nAccept: *\/*\r\nAccept-Language: en-US,en;q=0.5\r\nReferer: <Redacted>\r\nOrigin: https:\/\/www.attacker.com\r\nCookie: <Redacted>\r\nConnection: close<\/pre>\n
Response 1#<\/strong><\/p>\n
HTTP\/1.1 200 OK\r\nAccess-Control-Allow-Credentials: true\r\nAccess-Control-Allow-Headers: User-Agent,Keep-Alive,Content-Type\r\nAccess-Control-Allow-Methods: GET, POST, OPTIONS, DELETE, PUT, HEAD, PATCH\r\nAccess-Control-Allow-Origin: https:\/\/www.site.com\r\nCache-Control: no-cache, no-store, max-age=0, must-revalidate\r\nContent-Type: text\/html; charset=utf-8\r\nDate: Sat, 10 Jun 2017 00:27:22 GMT\r\nExpires: Fri, 01 Jan 1990 00:00:00 GMT\r\n\r\n....\r\n[data]<\/pre>\n
Request 2#<\/strong><\/p>\n
GET \/settings HTTP\/1.1\r\nHost: www.site.com\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko\/20100101 Firefox\/53.0\r\nAccept: *\/*\r\nAccept-Language: en-US,en;q=0.5\r\nReferer: <Redacted>\r\nOrigin: http:\/\/www.site.com\r\nCookie: <Redacted>\r\nConnection: close<\/pre>\n
Response 2#<\/strong><\/p>\n
HTTP\/1.1 200 OK\r\nAccess-Control-Allow-Credentials: true\r\nAccess-Control-Allow-Headers: User-Agent,Keep-Alive,Content-Type\r\nAccess-Control-Allow-Methods: GET, POST, OPTIONS, DELETE, PUT, HEAD, PATCH\r\nAccess-Control-Allow-Origin: https:\/\/www.site.com\r\nCache-Control: no-cache, no-store, max-age=0, must-revalidate\r\nContent-Type: text\/html; charset=utf-8\r\nDate: Sat, 10 Jun 2017 00:27:22 GMT\r\nExpires: Fri, 01 Jan 1990 00:00:00 GMT\r\n\r\n....\r\n[data]<\/pre>\n
Request 3#<\/strong><\/p>\n
GET \/settings HTTP\/1.1\r\nHost: www.site.com\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko\/20100101 Firefox\/53.0\r\nAccept: *\/*\r\nAccept-Language: en-US,en;q=0.5\r\nReferer: <Redacted>\r\nOrigin: https:\/\/test.site.com\r\nCookie: <Redacted>\r\nConnection: close<\/pre>\n
Response 3#<\/strong><\/p>\n
HTTP\/1.1 200 OK\r\nAccess-Control-Allow-Credentials: true\r\nAccess-Control-Allow-Headers: User-Agent,Keep-Alive,Content-Type\r\nAccess-Control-Allow-Methods: GET, POST, OPTIONS, DELETE, PUT, HEAD, PATCH\r\nAccess-Control-Allow-Origin: https:\/\/www.site.com\r\nCache-Control: no-cache, no-store, max-age=0, must-revalidate\r\nContent-Type: text\/html; charset=utf-8\r\nDate: Sat, 10 Jun 2017 00:27:22 GMT\r\nExpires: Fri, 01 Jan 1990 00:00:00 GMT\r\n\r\n....\r\n[data]<\/pre>\n
Request 4#<\/strong><\/p>\n
GET \/settings HTTP\/1.1\r\nHost: www.site.com\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko\/20100101 Firefox\/53.0\r\nAccept: *\/*\r\nAccept-Language: en-US,en;q=0.5\r\nReferer: <Redacted>\r\nOrigin: https:\/\/www.site.com.attacker.com\r\nCookie: <Redacted>\r\nConnection: close<\/pre>\n
Response 4#<\/strong><\/p>\n
HTTP\/1.1 200 OK\r\nAccess-Control-Allow-Credentials: true\r\nAccess-Control-Allow-Headers: User-Agent,Keep-Alive,Content-Type\r\nAccess-Control-Allow-Methods: GET, POST, OPTIONS, DELETE, PUT, HEAD, PATCH\r\nAccess-Control-Allow-Origin: https:\/\/www.site.com.attacker.com\r\nCache-Control: no-cache, no-store, max-age=0, must-revalidate\r\nContent-Type: text\/html; charset=utf-8\r\nDate: Sat, 10 Jun 2017 00:27:22 GMT\r\nExpires: Fri, 01 Jan 1990 00:00:00 GMT\r\n\r\n....\r\n[data]<\/pre>\n
so from request 1-3 we can see, the ACAO is properly set no matter from what Origin<\/strong> its requested, but in case 4 we can see the anything after domain name site.com is getting reflected back to ACAO header.<\/span><\/p>\n
 So i thought to exploit it, and after bit of confusion and quick tip from James<\/a> cleared my doubts. so i enabled the wildcard entry for my domain geekboy.ninja<\/strong>. <\/span><\/p>\n
And idea is of wildcard will work like this, now if i request anything in this manner: https:\/\/site.com.geekboy.ninja\/exploit.html,<\/strong>\u00a0it will valid request and exploit.html will be served from domain geekboy.ninja\/exploit.html<\/strong> \u00a0and other side, Origin will be set as:\u00a0https:\/\/site.com.geekboy.ninja<\/strong> which is the requirement of this case.<\/span><\/p>\n
\"\"<\/a><\/span><\/p>\n
And this is how a small misconfiguration allows attacker to bypass the SOP of website.<\/span><\/p>\n
Takeaways for hackers: check for every variations of Origin header<\/strong>, for dev: use predefined ACAO dynamically.<\/strong> \u00a0<\/span><\/p>\n
 <\/p>\n
do let me know if you have any question in comment section.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"
In last post\u00a0about CORS i explained the cases where and how we can detect the presence of CORS misconfiguration, so this post will cover the one of specific case from them. So last week while testing one of web application for CORS misconfiguration, i came across a scenario and this is how it looks like: […]<\/p>\n","protected":false},"author":1,"featured_media":298,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[14,13,15],"_links":{"self":[{"href":"http:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/posts\/372"}],"collection":[{"href":"http:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/comments?post=372"}],"version-history":[{"count":37,"href":"http:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/posts\/372\/revisions"}],"predecessor-version":[{"id":411,"href":"http:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/posts\/372\/revisions\/411"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/media\/298"}],"wp:attachment":[{"href":"http:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/media?parent=372"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/categories?post=372"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/tags?post=372"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}