HOW i Found CORS vulnerability while hunting on Bug bounty platform

Hey guys I’m Ravikiran, I’m working as a security analyst, and I just started my career as a bug bounty hunter. now coming to the subject….let’s start

Cross-Site Origin Policy (CORS)

CORS is a security feature created to selectively relax the SOP restrictions and enable controlled access to resources from different domains. CORS rules allow domains to specify which domains can request from them information by adding specific HTTP headers in the response.

There are several HTTP headers related to CORS; however, we are interested in the two related to the commonly seen vulnerabilities — Access-Control-Allow-Origin and Access-Control-Allow-Credentials.

• Access-Control-Allow-Origin: This header specifies the allowed domains to read the response contents. The value can be either a wildcard character (*), which indicates all domains are allowed, or a comma-separated list of domains.

#All domain are allowed
Access-Control-Allow-Origin: *   

#comma-separated list of domains
Access-Control-Allow-Origin: example.com, metrics.com

• Access-Control-Allow-Credentials: This header determines whether the domain allows for passing credentials — such as cookies or authorization headers in the cross-origin requests.

The value of the header is either True or False. If the header is set to “true,” the domain allows sending credentials, and if it is set to “false,” or not included in the response, then it is not allowed.

#allow passing credenitals in the requests
Access-Control-Allow-Credentials: true

#Disallow passing in the requests
Access-Control-Allow-Credentials: false

Impact

CORS misconfigurations can have a significant impact on the security of web applications. Below are the main implications:

• Data Theft: Attackers can use CORS vulnerabilities to steal sensitive data from applications like API keys, SSH keys, Personal identifiable information (PII), or users’ credentials.
• Cross-Site Scripting (XSS): Attackers can use CORS vulnerabilities to perform XSS attacks by injecting malicious scripts into web pages to steal session tokens or perform unauthorized actions on behalf of the user.
• Remote Code Execution in some cases (StackStorm case)

Identifying CORS

When testing an application for CORS, we check if any of the application’s responses contain the CORS headers. We can use the search functionality in Burp Suite to search for the headers quickly.

In the example below, I searched for the Access-Control-Allow-Credentials header and got three (3) responses back. Once the headers are identified, we select the requests and send them to Repeater for further analysis.

Intro: welcome to my new article this is my new article on bug bounty hunting. Here i will discuss how i found CORS vulnerability in web application. Here we will assume the Domain: example.com. So, lets start

Hack it:

I started to hunting this domain example.com, I found this

path: https://www.example.com/_hcms/livechat/widget?portalId=26222027&conversations-embed=static-1.17691&mobile=false&messagesUtk=3ab03e7e3143415784d000b6edd8382c&traceId=3ab03e7e3143415784d000b6edd8382c

where can i get some of the information about the application. Then i intercept the request in my burp suite and sent it into Repeater.

here we can Observe in the above image, they implemented the access-control-origin header: false. which means no malicious or any third party domains are not allowed to this web site as per the security guidelines.

So, what am i done here;

I just created the origin header in the request i.e. Origin : evil.com

Now i send this request and it reflects back with 200 status response code with Header Access-control-Allow-Origin: evil.com and quit surprisingly the Access-control-Allow-credentials: false even though the website allowing the malicious domains to the application without blocking.

Impact:

Attackers can use the CORS vulnerability to steal the sensitive data from the applications like API keys, SSH keys, personal identification information or users credentials.

Mitigation :

• Implement proper CORS headers: The server can add appropriate CORS headers to allow cross-origin requests from only trusted sites.
• Restrict access to sensitive data: It is important to restrict access to sensitive data to only trusted domains. This can be done by implementing access control measures such as authentication and authorization.

Thanks for reading …….!

if you like don't forget to follow me for more articles.

stay tuned