Bug-Bytes Cors Vulnerabilities

CROSS-ORIGIN RESOURCE

SHARING CROSS-ORIGIN RESOURCE SHARING IS A MECHANISM WHERE ONE WEBSITE/DOMAIN CAN SHARE RESOURCES/WEB FILES OVER SUBDOMAINS OR THIRD PARTY

VENDORS WITH A SYNCHRONISED ALLOWANCE POLICY, IF THERE IS ANY POLICY RESTRICTING THE SHARING OF RESOURCE

BY A GENERAL SHARING POLICY.

MISCONFIGURED CORS

IF THE FOLLOWING ONE FINDS IN THE

•  ACCESS-CONTROL-ALLOW-ORIGIN : 
• NULL RESPONSE: ACCESS-CONTROL-ALLOW CREDENTIALS: TRUE

IT MEANS THAT WEBSITE IS POORLY

CHECKING FOR CORS MISCONFIGURATION

1ST METHOD 

FOR CHECKING CORS MISCONFIGURATION, ONE

HAS TO CHECK THE RESPONSE FOR :

1. ACCESS-CONTROL-ALLOW ORIGIN: HTTP://DOMAIN1.COM 
2. "ACCESS-CONTROL ALLOW-ORIGIN : *

2ND METHOD 

ONE CAN USE THE FUNCTION OF SPIDER/CRAWLING IN BURP SUITE AND AFTER SPIDERING THE

DOMAIN, VISIT THE SEARCH TAB (IN TOPMOST TAB OF

BURPSUITE) AND THEN SEARCH FOR KEYWORD

': ACCESS-CONTROL-ALLOW ORIGIN. SEND THAT PAGE IN

REPEATER

CHECKING FOR CORS MISCONFIGURATION (ANOTHER METHOD)

ANOTHER WAY TO FIND CORS VULNERABILITY:

• -> CURL HTTPS://DOMAIN.COM -H "ORIGIN :  HTTP://DOMAINZ.COM" /

TESTING FOR INSECURE CORS

IF ONE HAS TO TEST FOR CORS MISCONFIGURATION, HE/SHE SHOULD :

1.  INTERCEPT THE REQUEST IN BURP SUITE, AND THEN FOLLOW UP WITH 1ST OR 2ND METHOD EXPLAINED ABOVE 
2. NEXT, SEND THE REQUEST TO THE REPEATER TAB IN
3. BURPSUITE 
4. NOW, BEFORE COOKIE OR CONNECTION PARAMETER IN
5. REQUEST, ADD THE FOLLOWING HEADER -> ORIGIN: HTTP://DOMAIN2.COM NULL ||
6. NOW, OBSERVE THE RESPONSE IN RESPONSE PART

OBSERVATION

NOW IN REPEATER, IN THE REQUEST TAB, IF ONE GETS THIS RESPONSE :

ACCESS-CONTROL-ALLOW-ORIGIN :

DOMAIN2.COM * NULL THIS SHOWS THAT THE WEBSITE IS

VULNERABLE TO CORS MISCONFIGURATION,

THE VULNERABILITY

BY RESPONDING WITH ACCESS-CONTROL-ALLOW-ORIGIN : *, THE REQUESTED RESOURCE ALLOWS SHARING WITH EVERY ORIGIN. THIS MEANS THAT ANY SITE CAN BE SEND AN XHR REQUEST TO YOUR SITE AND ACCESS THE SERVERS RESPONSE WHICH WOULD NOT BE THE CASE IF YOU HADN'T IMPLEMENTED THIS CORS RESPONSE. SO ANY SITE CAN MAKE A REQUEST TO YOUR SITE ON BEHALF OF THEIR

VISITOS AND PROCESS ITS RESONSE. IF ONE HAVE SOMETHING IMPLEMENTED LIKE AN AUTHENTICATION OR AUTHORIZATION SCHEME THAT IS BASED ON SOMETHING THAT IS AUTOMATICALLY PROVIDED BY

THE BROWSER (COOKIES, COOKIE-BASED SESSIONS, ETC), THE REQUEST TRIGGERED BY THE THIRD-PARTY SITES WILL USE THEM TOO.

THIS INDEED POSES A SECURITY RISK, PARTICULARLY IF YOU ALLOW RESOURCE SHARING NOT JUST FOR SELECTED RESOURCES BUT FOR

EVERY RESOURCE.

Share it with The People Who Need to Get Started in This Field and Get Yourself Started With Cybersecurity and Ethical Exploitation.

Hope this article helps you. If you have any suggestions Drop them in Comment Section and Join Our Family by Clicking Subscribe Button and For More Articles/Post Like this Join us on:-

Facebook Page:- Click here to Join Facebook Page for Coding & Hacking Tips

Telegram:- Click here to Join Telegram for Daily Jobs Offers & Coupon

Join Our Channels:- Free Online Course & Government / Private Jobs Links