How To Test Cross Origin Resource Sharing Vulnerability (OTG-CLIENT-007)

Hello Everyone,

This blog is all about Cross Origin Resource Sharing (CORS) Vulnerability. In my one year of research, I found various type of bypass, that I would like to discuss.

I will keep this blog to the point without discussing backend reason, so that beginner can find it an easy one.

If a site is allowing access control header at the output response then play with all the request and capture it on burp or any proxy you use.

After getting all directory on burp -> target -> sitemap, then this is a good time to test !!

Most of the people just test it on one point, but each directory has its own way to set access control header. So, test it on every directory. For example

-dir1
       -sub_dir1
       -sub_dir2
-dir2
       -sub_dir1
       -sub_dir2

Here you need to test on dir1 and dir2.

How To Test

First, put any random character at origin header at the input and see the output response.

POST/GET  /page/etc
Host: example.com
......
origin: areyouvulnerable
......

Most probably you will get an error or same response as previous without access control header at the output. If you get same as areyouvulnerable then congrats :)

Now check for bypass:

================================================================

1- Add some character before working origin header

POST/GET  /page/etc
Host: example.com
......
origin: areyouvulnerableexample.com
......

================================================================

2-  Add some character after working origin header

POST/GET  /page/etc
Host: example.com
......
origin: example.comareyouvulnerable
......

================================================================

3-  Again add some character after working origin header with (Dot).

POST/GET  /page/etc
Host: example.com
......
origin: example.com.areyouvulnerable
......

================================================================

4-  Add % at the end of origin header.

POST/GET  /page/etc
Host: example.com
......
origin: example.com%
......

AND

POST/GET  /page/etc
Host: example.com
......
origin: example.com.%
......

================================================================

If you find the same access control header at the output as above four cases then congrats.

Note:
Sometime CORS vulnerability present because the output response does not sensitive.

Conclusion

Test CORS vulnerability on every directory with the above four cases. Also, make sure the output response should be sensitive.


If you need a POC code for any of the above cases you can reach me on Facebook or Twitter.





Comments

Post a Comment

Popular posts from this blog

How I found 5 store XSS on a private program. Each worth "1,016.66$"

How i was able to get admin panel on a private program