Leet Sheet
  • Leet Sheet
  • TODO
  • Reconnaissance
    • Automated Reconnaissance
    • Domains
    • Scour the Web
    • Metadata
  • Web App Hacking
    • Enumeration
      • Webserver Virtualhost Subdomains
      • Common Identifiers
      • Web Fuzzing
      • Directory Enumeration
        • Automated Directory Enumeration
        • Manual Directory Enumeration
      • Automated Web Technology Detection
    • User Attacks
      • CORS Misconfigurations
      • DNS Rebinding
      • Open Redirect
      • Clickjacking
      • Cross Site Request Forgery (CSRF)
      • Session Fixation
      • XSS/Cross Site Scripting
      • CSS Injection
      • HTML Injection
      • Phishing
    • Database Attacks
      • SQL Injection
      • Get a Shell From DB Connection
    • Server Attacks
      • Collisions
      • Server Side Request Forgery
        • Redis SSRF
      • Insecure Direct Object Reference
      • Timing-Based Side-Channel Attacks
      • Attacking Authentication Methods
        • JWT Attacks
        • Brute Forcing Web Forms
      • Loose Comparisons
      • Unrestricted File Upload
      • Insecure Deserialization
      • Command Injection
      • Path Traversal
      • File Inclusion
      • Server-Side Template Injection
      • XML External Entities Injection (XXE)
      • Server Misconfigurations
      • Parser Inconsistencies
      • Bypassing WAFs
    • DNS Attacks
    • Cloud Attacks
      • Amazon Web Services
    • Interesting Outdated Attacks
      • SQL Truncation
  • Network Hacking
    • General Enumeration
    • RPC
    • LDAP
    • SMB
    • SNMP
    • WMI
    • SSH
    • Kerberos
    • NTLM
    • Man-In-the-Middle (MITM)
    • WinRM
  • Post Exploitation
    • Windows
      • CLI Tips
      • Shells
      • Windows Script Host
      • Windows Privilege Escalation
        • Enumeration
        • JuicyPotato/RottenPotato
        • Kernel Exploits
        • Unquoted Service Paths
      • Active Directory
      • Dumping Passwords
      • NTLM Hash Theft
    • Linux
      • Port Forwarding
      • Shells
      • Linux Privilege Escalation
        • Enumeration
        • SUID Bit
        • Dot (.) In PATH
        • Escape From Restricted Shell
        • Symlink Trickery
        • Wildcard Injection
        • Docker group/LXD group
        • Password Reuse
      • Backdoors
    • Docker Container
    • General
  • Various
    • CVEs
    • SSH Agent Hijacking
    • Password Cracking
    • Cryptography
    • Non-Hacking
    • Malware
    • Forensics
      • Reading Keystrokes from USB PCAP Data
  • Binary Exploitation
    • Resources
    • Base Knowledge
    • Format String Exploits
    • Stack Smashing
    • Heap Exploits
    • Time-of-Check to Time-of-Use (TOCTOU)
    • Shellcode
    • Decompilation
    • Debugging
    • Exploit Mitigations and Protections
    • Exploit Protection Bypassing
    • Passing Input
    • Fuzzing
    • Automatic Exploitation
  • Physical Security
    • Mechanical Locks
    • Electronic Locks
    • Other Attacks
    • Destructive Entry
    • Elevator Attacks
  • Social Engineering
    • Phishing
Powered by GitBook
On this page
  • How CORS Works
  • Long Explanation
  • Summary
  • Exploitation
  • ACAC is Enabled
  • ACAC Not enabled
  • Vary Origin
  • Making “unexploitable” XSS exploitable
  • Discovering Dynamically Generated CORS Headers

Was this helpful?

  1. Web App Hacking
  2. User Attacks

CORS Misconfigurations

PreviousUser AttacksNextDNS Rebinding

Last updated 3 years ago

Was this helpful?

How CORS Works

Long Explanation

Usually Same Origin Policy denies XMLHTTP requests to other domains. CORS allows those with Access-Control-Allow-Origin (the remote host must add this header).

It can also allow you to add credentials with Access-Control-Allow-Credentials (ACAC).

ACAO (access control allow origin) allows you a couple of options:

  • A single domain name (google.com)

  • A wildcard (*)

    • In other words, all domains.

    • But ACAC doesnt work when you the allowed origin is *

  • null

    • Null origins are given by local files

    • You can also get a null origin from an iframe sandbox,

    • Basically the null origin is a better version of * for an attacker, because it allows for ACAC and it can be done from any website.

As a web developer, because you can only trust a single domain name, then if you have multiple domains you want to trust, based on user input.

Summary

So basically, ACAC allows for very CSRF-like behaviour via ACAO misconfigurations.

Also you can do some stuff without ACAC.

Exploitation

ACAC is Enabled

If any origin is allowed, then you can just make a request from your site.

If twitter.com checks that the origin starts with twitter.com, you can do it from twitter.com.evil.com.

If they validate the end and forget to check that it starts with the dot, then you can just do it from nottwitter.com

If they allow null, then you can use iframe sandbox to get null origin.

And even if they don’t allow *.site.com, you can still do it with XSS, subdomain hijacking. Maybe corporate proxies like McAfee Web Gateway if it’s there.

ACAC Not enabled

There was a case where Jetbrains’ IntelliJ had some CORS misconfiguration (ACAO enabled) and you were able to get SSH keys and even RCE through the IntelliJ server running on localhost.

Vary Origin

Vary: Origin is used if you want to have more than one allowed origin. It indicates that the response is dependent on the origin, and prevents caching of responses. If it is missing, then you may be able to exploit caching related vulnerabilities.

Making “unexploitable” XSS exploitable

Unexploitable usually vaguely means something like - the string in a header (like X-User) gets reflected, but there’s no way to make the user’s browser send that header.

Thanks to CORS, you can send that header cross-domain using a javascript request.

But, unless you specify Vary: Origin, it may be cached in the browser. And then, when you take the actual user there, he will get the cached XSS.

Server side cache poisoning also possible.

Discovering Dynamically Generated CORS Headers

You have to look separately for dynamic generation of CORS headers. Say you’re on Google.com. When you make an XMLHTTP request with origin evil.com, then you will not get the headers. If you make it with origin google.com, you will get the headers.

Taken from by James Kettle.

If they allow *.site.com, then if they allow http:// connections, then that’s still exploitable. For exploitation details watch at around 22 minutes or .

you will have to dynamically generate ACAO domains
Exploiting CORS Misconfigurations For Bitcoins And Bounties
this video
read the blog post