Web Hacking Tips
  • Web App Hacking Tips & Tricks
  • Weekly Tips
    • Week 1 - XSS Filter Evasion
    • Week 2 - CSRF Token Bypass
    • Week 3 - CORS Exploitation
    • Week 4 - Finding XSS
    • Week 5 - CSRF Explanation
    • Week 6 - XSS Types
    • Week 7 - Advanced SQLMap
    • Week 8 - Stealing HttpOnly Cookies from PHPINFO
    • Week 9 - SQLMap Tamper Scripts
    • Week 10 - XSS Obfuscated Payloads
    • Week 11 - XS-Search: Cross-Origin Enumeration
    • Week 12 - Subdomain Takeovers
    • Week 13 - XSS Keylogger
    • Week 14 - Algolia API Keys
    • Week 15 - GraphQL Introspection
    • Week 16 - Naming BurpSuite Repeater Tabs
    • Week 17 - GoBuster Tips
    • Week 18 - Burp Request to Python Script
    • Week 19 - Customizing Nikto Scans
    • Week 20 - Google Phishing Page
    • Week 21 - Google BITB
    • Week 22 - XSS Through SVG File
    • Week 23 - FoxyProxy Extension
    • Week 24 - CSP Bypasses
    • Week 25 - Pilfering LocalStorage with XSS
    • Week 26 - Cloud SSRF
    • Week 27 - Blind XSS
    • Week 28 - Firebase Misconfigurations
    • Week 29 - XSS to CSRF
  • Week 30 - SQLMap Debugging
  • Week 31 - WayBack Machine
  • Week 32 - O365 BITB
  • Week 33 - Burp Intruder Attacks
  • Week 34 - GraphQL Bruteforcing
  • Week 35 - User Accounts
  • Week 36 - CVE Submission
  • Week 37 - Second Order SQLi
  • Week 38 - Out of Band SQLi
  • Week 39 - Broken Link Hijacking
  • Week 40 - JWT Testing
  • Week 41 - BURP ATOR
  • Week 42 - ProxyChains
  • Week 43 - CSS Keylogging
  • Week 44 - SVG SSRF
  • Week 45 - Request Smuggling
  • Week 46 - XSS Payloads
  • Week 47 - DNS Re-binding
  • Week 48 - SSRF Bypass
  • Week 49 - File Upload Bypass
  • Week 50 - CRLF Injection
  • Week 51 - HTML to PDF
  • Week 52 - Parameter Pollution
  • Week 53 - Pre-Account Takeover
  • Week 54 - Race Conditions
  • Week 55 - SQLi to RCE
  • Week 56 - Cloud SSRF PrivEsc
  • Week 57 - Response Queue Poisoning
  • Week 58 - Directory Traversal
  • Week 59 - File Upload -> CSRF
  • Week 60 - Modern CSRF Attacks
Powered by GitBook
  1. Weekly Tips

Week 3 - CORS Exploitation

PreviousWeek 2 - CSRF Token BypassNextWeek 4 - Finding XSS

Last updated 2 years ago

Exploiting CORS Misconfigurations

In week 3 of the Web App Hacking Tips & Tricks series, we will be covering CORS misconfigurations. When I first became a tester, this topic caused me a good bit of confusion. It took me some time to find a clear and concise summary of how this attack (and CORS in general) worked. Here is my attempt at a clean and simple, Step-By-Step overview: 1. Specify a domain in the ‘Origin’ header of an HTTP Request 2. Check if the response contains ‘Access-control-allow-origin: domain’ or ‘Access-control-allow-origin: null’ ---> This means we can access HTTP Responses from our attacker site. The ‘null’ origin means any site can access responses 3. Check if the response contains the ‘Access-control-allow-credentials: true’ header ---> This means we can send cookies with an HTTP Request, allowing us to access authenticated pages as a user If the above steps are true, then the application has a CORS misconfiguration and can be exploited through a XSS attack using XMLHTTPRequest() like below: <script>

var xhr = new XMLHttpRequest(); xhr.withCredentials = true; xhr.onreadystatechange = function() { if (xhr.readyState == XMLHttpRequest.DONE) { alert(xhr.responseText); } } xhr.open('GET', 'http://domain', true); xhr.send(null);

</script> An attacker can host this JavaScript payload on their domain, convince a user to click on their site, execute an HTTP request on their behalf, and then read the response.

It is important to note that if the vulnerable site uses a wildcard (‘Access-control-allow-origin: *’) and allows credentials (Access-control-allow-credentials: true), it is NOT vulnerable. CORS blocks this by default, and will not send cookies with the request.

Page cover image