How to Access other Website Credentials from your own Domain (CORS – tutorial)

0
174

CORS-Cross origin resource sharing is a HTTP header that are embedded in some sites.
It is a mechanism that is done between the browser and the server. And it is a website to website communication via the browsers. With the help of these CORS vulnerability you can access the user info of other domain from your own domain.

Find CORS vulnerability in the target site:

On the attackers point of view, to find CORS vulnerability, he should first analyze the HTTP headers. Analyzing those specific headers for the finding of CORS can be done with burpsuite. Configure the burpsuite with the browser which with your gonna to test for vulnerability.

Normally, the websites allow the cross origin resource sharing with the header.

Access-Control-Allow-Origin:
https://targetsite.com

So the point here is that you have to look for this header. While capturing the request from the target site you will be receiving the CORS header if it is configured.After recieving the HTTP request , you should search for the presence of the cros header. After finding it, change the Domain name from the target to the attacker site. And finally, forward the request from your burpsuite. After forwarding the request analyse the response from the browser. Following are the possibilities of the response,

Case 1:
Highly vulnerable and best for attack:

(Response):
Access-Control-Allow-Origin:
https://attacker.com

Access-Control-Allow-Credentials: true

 

Case 2:
Low vulnerability but exploitable:

(Response)
Access-Control-Allow-Origin: null

Access-Control-Allow-Credentials: true

Case 3:

Not vulnerable and unexploitable:

(Response)

Access-Control-Allow-Origin: *

Access-Control-Allow-Credentials: true

Note : if the response of the request contains the character * . Even the header is vulnerable we are not able to obtain the credentials or cookies due to the configured custom headers.

If you found the vulnerable header then it is a baby game, if only the Credentials header is set to true. If it is happened , you will able to capture the sensitive information such as email id, passwords and many more. And access through the other end API.

Accessing info from your domain:

visit the URL that contains the vulnerable CORS header and view the source code. detect the API that contain the user info and  upload the exploit in your domain . Finally, you will be able to view the credentials of the website.

Further source to know more about CORS: portswigger

incoming search terms:

cors vulnerability example
cors vulnerability exploit
cors vulnerability hackerone
cors vulnerability remediation
html5 cors vulnerability
cors security vulnerability
html cors vulnerability
cors vulnerability
cors vulnerability poc

 

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.