LOGO
OFFENSIVE | DEFENSIVE | WIKI | ABOUT

[CROSS-ORIGIN RESOURCE SHARING]



GENERAL INFORMATION PRE-REQS: 1. Authenticated session [if possible] NOTE: When a request's credentials mode (request.credentials) is include, browsers will only expose the response to the frontend javascript code if the Access-Control-Allow-Credentials header value is TRUE. ::: ARBITRARY ORIGIN REFLECTION SAMPLE: <script> fetch('/endpoint_to_exploit', {credentials:'include'} </script> 1. Manual inspection is needed to confirm this misconfiguration. [headers, code, etc] 2. If previous code sample is founded, CORS is possible to attempt. 3. Attempt to add the ORIGIN header. [burpsuite / repeater] 4. Check response, if header "Access-Control-Allow-Origin" is added it means CORS is used, attacks can be sucessful. "HTTP/2 200 OK Access-Control-Allow-Origin: https://machetevault.malicious.com" 5. If headers Access-Control-Allow-Credentials & Access-Control-Allow-Origin are present, arbitrary CORS can be accomplished. 6. User interaction is needed, so any way to send the payload to the user via social engineering is required. CHECK JS PAYLOAD: | CORSexploit-origin-reflection.js | DOWNLOAD ::: NULL ORIGIN REFLECTION [trusted] NOTES: 1. One way to distinguish between NULL and ARBITRARY CORS is to check if the header "Access-Control-Allow-Origin" is added to the response after adding any domain. SAMPLE: Access-Control-Allow-Origin: https://machete.malicious.com 2. If no header added, try null. Origin: null [burpsuite] 3. Access-Control-Allow-Origin: null will be added if successfull. 4. It is needed to generate a null request, HTML iframe sandbox can be used. CHECK JS PAYLOAD: null origin | CORSexploit_null-origin.js | DOWNLOAD ::: ARBITRARY SUBDOMAIN ORIGIN REFLECTION [insecure-protocols] NOTES: 1. Same steps used for "ARBITRARY ORIGIN REFLECTION" can be applied, however, at the moment to test the origin header it is necessary first to try the same origin and after that, try it with the subdomain. 2. It is necessary to inspect the request to see if exist any request to other domain, subdomain, etc. that can be used as part of the attack. NOTE: Sometimes this vulnerability is important when you have some kind of XSS as well that you can use to increase impact. >> Specific tests fror SUBDOMAIN reflection (besides previous ones) SAMPLE_DOMAIN: http://domain.com 1. Change origin header to one that begins with current origin of the site. REFLECTED SAMPLE: http://domain.com.malicious.site 2. Change origin header to one that ends with current origin of the site. REFLECTED SAMPLE: http://malicious.site.domain.com CHECK JS PAYLOAD: | CORSexploit_origin-subdomainXSS.js | DOWNLOAD
ATTACKER LOCAL SERVER: | pyats.sh

©® - Since 2023