Hi everyone, I’m Abdulrhman , A Junior Computer Science graduated , and Cyber Security Enthusiast , so Today I’m gonna Show you how you should think when testing CORS Misconfiguration , i Have Learned more from Our Hero zseano and i faced a scenario similar to challenge that is found on his site and i have solved it before so i decided to explain this Bug on his Challenge
Before Starting Let’s Know Some Terms!
Cross-origin Resource Sharing (CORS) : is a security feature implemented by web browsers to control How webpages in a domain can request and interact with resources from a different domains , On other
Hand The Same-Origin Policy (SOP) is a fundamental security measure in web browsers that restricts web pages from making requests to a different domain than the one that served the web page
First Thing we have to do is send a normal request and see the response
And Ask Your self , Does the Server Allow ’Access-Control-Allow-Origin ‘ or not , this header indicates that the server accept request from different domain
Note : CORS defined by Protocol(Scheme) , domain(hostname) and port
Consider the URL : http://www.Ben.com/Shares
-1 https://www.Ben.com/BugBounty // this not permitted to send request to Above URL Cuz Different scheme (http , https)
-2 http://www.Ben.com/BugBounty // this is permitted to send request to Above URL Cuz Same scheme, domain, and port
Note : Keep in mind The Server Accepts The Requests only from The Domains that Have The Same Scheme , Domain and port So , If There are CORS configuration issues , CORS vulnerabilities can arise
Let’s Take Some Examples To understand it better*
-Request Number One:
GET /api/data HTTP/1.1
Host: api.example.com
-Response Number One :
HTTP/1.1 200 OK
Access-Control-Allow-Origin: * // indicates that the server accept request from any different domain
Content-Type: application/json
*We can check if the server accepts POST Request Method or not using OPTIONS Method!*
Note : OPTIONS method is a way for browsers to check with servers about the allowed methods and headers for a resource or can Server Accepts
-Request Number Two:
OPTIONS /api/data HTTP/1.1
Host: api.example.com
Origin: https://client.example.com
Access-Control-Request-Method: POST
Access-Control-Request-Headers: Content-Type
-Response Number Two:
HTTP/1.1 200 OK
Access-Control-Allow-Origin: https:// Accept request from client.example.com
Access-Control-Allow-Methods: POST // in this case Server Accepts POST Request for /api/data
Access-Control-Allow-Headers: Content-Type // Accepts Content-Type Header
We can check if the server accepts Credentials with The Request or not using Credentials Header!
-Request Number Three:
GET /api/data HTTP/1.1
Host: api.example.com
Origin: https://client.example.com
Credentials: include
-Response Number Three:
HTTP/1.1 200 OK
Access-Control-Allow-Origin: https://client.example.com
Access-Control-Allow-Credentials: true // indicating that credentials can be included in the request
It’s Enough Let’s Go :
Let’s Think, What About if we use Origin Header to see if the Server can Accept Request from webpage on different domain! Look At Following Image :
Let’s see How the Code of CORS Configuration is Checking The Origin Header By Testing :
The code is only checking if this domain is found, meaning you can use Origin: https://www.bugbountytraining.anydomain.com/
Nice, Let’s Exploit it by makin a simple code that make a request to vulnerable server to fetch Auth_Token :
We Are Done , I hope you learned Some Thing and how to think when testing for CORS MISC
LinkedIn :https://www.linkedin.com/in/abdulrhman-ben-saad-08b936216/
Twitter : https://twitter.com/AbdulrhmannSaad