Bug :: CORS Misconfiguration ~ could lead to disclosure of sensitive info..!!!

Hello Folks……!!!!

In this article, I am gonna to discuss how I find CORS Vulnerability in 8+ subdomains of an org during my bug bounty hunting.

SO, Let’s dive in!!

What is ‘Cross Origin Resource Sharing’ commonly known as CORS ??

CORS, or Cross-Origin Resource Sharing, is a security feature implemented by web browsers to prevent unauthorized access to resources (like data or scripts) on a web page from a different origin (domain). It allows servers to specify who can access their resources, thereby protecting sensitive information and preventing malicious attacks like Cross-Site Request Forgery (CSRF).

When a web page tries to make a request to a different domain than the one it originated from, the browser enforces CORS policies to determine whether the request is allowed or blocked. These policies are defined by the server through HTTP headers, such as Access-Control-Allow-Origin, which specify which domains are permitted to access its resources.

What is CORS Vulnerability??

A CORS vulnerability arises when a web application’s Cross-Origin Resource Sharing (CORS) policy is misconfigured, allowing unauthorized domains to access sensitive resources. This can lead to data leakage, unauthorized access, and other security risks. Mitigation involves properly configuring CORS headers, validating preflight requests, and restricting access to sensitive resources based on origin.

Steps to Reproduce :

During the assessment of bug hunting, i manually checking Response:200 OK urls filtered from httpx result.

After searching many instances, i didn’t find any issues. But after sometime, my eyes goes to one of the response from burp http history which showing “Access Control Allow Origin: <origin_name>”.

Then i made my check for CORS vulnerability adding the Origin header requesting to an external domain (attacker.com) & boom…!!!! i got the reponse with :

Access-Control-Allow-Origin: https://attacker.com

Access-Control-Allow-Credentials: true

Similarly, i got this same issue………………………

………………………………………in 8+ subdomains of the target org doamin.

Then i made my POC & submit the report including all the affected URLs to the target organization.

CORS POC: You can follow this links to create poc or further exploitation.

Impact :-

CORS misconfigurations pose a serious threat to the security of web applications and can result in various forms of data breaches, unauthorized access, and service disruptions.

Attackers can use CORS vulnerabilities to steal sensitive data from applications like API keys, SSH keys, Personal identifiable information (PII), or users’ credentials.

It is crucial for developers to properly configure CORS policies to mitigate these risks and ensure the protection of sensitive assets.

That’s all about this article !!!!

Thank For Reading !!!

If you like _ — _ : Don’t forget to follow !!

~~ Happy Hunting ~~

Keep Learning & keep growing !!