How to Look for "Insecure CORS Configuration" vulnerabilities.
[A thread 🧵]
#appsec #bugbounty #bugbountytips #cybersecurity
[A thread 🧵]
#appsec #bugbounty #bugbountytips #cybersecurity
[2/n]
What is Insecure CORS issue?
An insecure CORS configuration allows any website to trigger requests with user credentials to the target application and read the responses thus enabling attackers to perform privileged actions or to retrieve potential sensitive information
What is Insecure CORS issue?
An insecure CORS configuration allows any website to trigger requests with user credentials to the target application and read the responses thus enabling attackers to perform privileged actions or to retrieve potential sensitive information
[3/n]
Basic Origin Reflection Test:
Req: Origin: evil[.]com
Res: Access-Control-Allow-Origin: evil[.]com
> In this test case check if your Origin Header is being reflected within the Access-Control-Allow-Origin Header. If yes, this may be a vulnerability.
Basic Origin Reflection Test:
Req: Origin: evil[.]com
Res: Access-Control-Allow-Origin: evil[.]com
> In this test case check if your Origin Header is being reflected within the Access-Control-Allow-Origin Header. If yes, this may be a vulnerability.
[4/n]
Allows Wildcards:
Req: Origin: random[.]com
Res: Access-control-allow-origins:*
> If the target application reflects with * in Access-control-allow-origin response header, It means it's vulnerabile to CORS misconfiguration issue.
Allows Wildcards:
Req: Origin: random[.]com
Res: Access-control-allow-origins:*
> If the target application reflects with * in Access-control-allow-origin response header, It means it's vulnerabile to CORS misconfiguration issue.
[5/n]
Allows Null Origin:
Req: Origin: null
Res: Access-control-allow-origins:null
> on sending Origin: header set to Null if the application reflects null is ACAO header , This is vulnerable and can be exploited using sandboxed iframes.
Allows Null Origin:
Req: Origin: null
Res: Access-control-allow-origins:null
> on sending Origin: header set to Null if the application reflects null is ACAO header , This is vulnerable and can be exploited using sandboxed iframes.
[6/n]
Bad Regex Validation
Req: Origin: domain[.]com[.]snapsec[.]com
Res: Access-control-allow-origins:null
Let say if the web app only looks for "domain[.]com" in the origin this can be easily bypassed using "domain[.]com[.]snapsec[.]com".
Bad Regex Validation
Req: Origin: domain[.]com[.]snapsec[.]com
Res: Access-control-allow-origins:null
Let say if the web app only looks for "domain[.]com" in the origin this can be easily bypassed using "domain[.]com[.]snapsec[.]com".
[7/n]
Allowing Subdomains
Req: Origin: sub[.]domain[.]com
Res: Access-control-allow-origins: sub[.]domain[.]com
in this case the website allows all its subdomains, This issue can be exploited by finding a valid XSS issue on any of its subdomain.
Allowing Subdomains
Req: Origin: sub[.]domain[.]com
Res: Access-control-allow-origins: sub[.]domain[.]com
in this case the website allows all its subdomains, This issue can be exploited by finding a valid XSS issue on any of its subdomain.
[8/n]
Support trusted by HTTP domain names
Req: Origin: http://domain[.]com
Res: Access-control-allow-origins: http://domain[.]com
In this situation, an attacker who is in a position to intercept a victim user's traffic can exploit this CORS configuration.
Support trusted by HTTP domain names
Req: Origin: http://domain[.]com
Res: Access-control-allow-origins: http://domain[.]com
In this situation, an attacker who is in a position to intercept a victim user's traffic can exploit this CORS configuration.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
