Insecure CORS Configuration" vulnerabilities. 🛡️⚔️

[A thread 🧵]

#infosecurity #CyberSec #bugbountytips #cybersecurity

[2/n]
What is Insecure CORS issue?

An insecure CORS configuration allows any website to trigger requests with user credentials to the target application and read the responses thus enabling attackers to perform privileged actions or to retrieve potential sensitive information

[3/n]

Basic Origin Reflection Test:

Req: Origin: evil[.]com
Res: Access-Control-Allow-Origin: evil[.]com

> In this test case check if your Origin Header is being reflected within the Access-Control-Allow-Origin Header. If yes, this may be a vulnerability.

[4/n]

Allows Wildcards:

Req: Origin: random[.]com
Res: Access-control-allow-origins:*

> If the target application reflects with * in Access-control-allow-origin response header, It means it's vulnerabile to CORS misconfiguration issue.

[5/n]

Allows Null Origin:

Req: Origin: null
Res: Access-control-allow-origins:null

> on sending Origin: header set to Null if the application reflects null is ACAO header , This is vulnerable and can be exploited using sandboxed iframes.

[6/n]

Bad Regex Validation

Req: Origin: domain[.]com[.]snapsec[.]com
Res: Access-control-allow-origins:null

Let say if the web app only looks for "domain[.]com" in the origin this can be easily bypassed using "domain[.]com[.]snapsec[.]com".

[7/n]

Allowing Subdomains

Req: Origin: sub[.]domain[.]com
Res: Access-control-allow-origins: sub[.]domain[.]com

in this case the website allows all its subdomains, This issue can be exploited by finding a valid XSS issue on any of its subdomain.

[8/n]

Support trusted by HTTP domain names

Req: Origin: http://domain[.]com
Res: Access-control-allow-origins: http://domain[.]com

In this situation, an attacker who is in a position to intercept a victim user's traffic can exploit this CORS configuration.