Cross Origin Resource Sharing (CORS) Vulnerability | BugBountyTraining | Bug Bounty Service

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey guys this is Martin from Buck Bounty service and today I'm showing you another vulnerability around course so cross origin resource sharing um which is basically a way modern web applications use quite heavily in order to facilitate cross-domain functionality so there's a lot of API calls these days and you know application a needs to access application B and so forth and by default there's something called the same origin policy sop and that prevents basically these cross-domain interactions but course is a way to loosen it and it is a good thing it makes sense in modern web applications because there's a lot of interaction between different Services especially thinking of microservice architectures and things like that but it can go horribly wrong if misconfigured and today I'm going to show you one of those typical misconfigurations so if if we go to the main page here we basically get an auth token right like so this is this could be an authenticated function say this is like an authenticator function or something and within a user portal and then there's like an auth token so let's take a look at this at this request and send it to repeater to play with it and effectively you if you launch the request you basically see auth token right um let's take an out of the domain it's called backbountytraining.com let's copy this out and then we basically go over to burp and we add another header called the origin header and we put in bug bountytraining.com right and it says like Access Control allow origin and allow credentials true right so this is expected because this is basically the website um which I'm on right now but is this filters or here's the problem in this particular vulnerability is this filter might not be um as accurate as possible so maybe it's only looking for the backbountytraining.com within um the origin right so maybe it's not doing like an exact uh match on on that domain so what happens for example if I add dot Martin work.com right so this now basically this one becomes a subdomain so to speak of martinword.com right which is a complete other domain and I hit send and you will see that the um Access Control allow origin also allows that so this is a vulnerability this is a serious vulnerability and for the for the reason it's just checking whether this string is actually present in the request right but it does not check whether it ends in it or where in the string it's located so a malicious attacker could now host something like this uh on their own server and effectively um so this is this is my own server right and and malicious attacker could now Host this as a sub-domain and then launch that Ajax request from that specific box and it would allow this so the course policy would would allow this to happen because the filter is misconfigured I I hope everyone understands this so far um let's go back here to the browser so I have written a little script which isn't a normal HTML so it's it's basically a plain HTML and then it's a JavaScript tag over here within that I'm launching an Ajax request page basically so I'm not going through this line by line you can read this up on Google but what it effectively does it sends like an an HTTP get request to this particular challenge URL which normally or this is what the developers intended that this request shall come only from back bounty training.com from this domain right but what happens now if I host if I host this on my malicious server and specify this as a sub domain and this is exactly what I've done and I come over here and I've hosted this on my main server and I basically specified this here as a subdomain and if I refresh this what's going to happen is I get the data leak so I get the data leak on my server so my server is now getting the auth token which is only supposed to be queried from bug bountytraining.com domain or from that domain but not from a sub domain which is also called called backbountytraining.com if that makes sense let's just head over to burp real quick look at this request what was done so here was the course request basically so um it says not modified because I've tried it before before the video and then you basically see after that a get request is being launched and here you can clearly see the referrer so the referral I'm clearly coming from my server the origin is clearly coming from my server right but the filter is misconfigured it accepts it because um it has the full real domain name in there even though it's configured as a subdomain on my server and I'm able to leak out the authentication token That's a classic course vulnerability and you find this in the wild quite a lot actually I hope this makes sense and I look forward to see you in one of my next videos

Info

Channel: Martin Voelk

Views: 7,078

Rating: undefined out of 5

Keywords: bugbounty, penetrationtesting, cors, vulnerability

Id: 0x-v9PlBlIc

Channel Id: undefined

Length: 5min 40sec (340 seconds)

Published: Sun Apr 23 2023