How To Test Cross Origin Resource Sharing Vulnerability (OTG-CLIENT-007)

-
Hello Everyone, This blog is all about Cross Origin Resource Sharing (CORS) Vulnerability. In my one year of research, I found various type of bypass, that I would like to discuss. I will keep this blog to the point without discussing backend reason, so that beginner can find it an easy one. If a site is allowing access control header at the output response then play with all the request and capture it on burp or any proxy you use. After getting all directory on burp -> target -> sitemap, then this is a good time to test !! Most of the people just test it on one point, but each directory has its own way to set access control header. So, test it on every directory. For example -dir1        -sub_dir1        -sub_dir2 -dir2        -sub_dir1        -sub_dir2 Here you need to test on dir1 and dir2. How To Test First, put any random character at origin header at the input and see the output response. POST/GET  /page/etc Host: example.com ...... origin: areyo
2 comments

How I found 5 store XSS on a private program. Each worth "1,016.66$"

-

Hello everyone,

 This is my second blog of the series "Sharing Is Caring". What I have learnt until now because of those guys who believe in that 'methodology' :)

 The site is private, so call it private-site.com.

 1- Store XSS using comment body

 I found that on a private-site.com, the comment body was reflecting on user own profile. So, I started hunting in a way to find something special.

 After many tried and tested with each and every payload I got nothing. But, I believe in a sentence "There is always a way to bypass" {Thanks to zahid ali who once said this and proved it on facebook, when bypassed same feature three times}

 Anyway, I didn't give up and thinking to bypass. Later, an idea clicked on my mind to use payload on second or third line as I have read in other researcher posts. The xss got store when I used my favourite payload <svg/onload=alert(1337)> on the second line of the body.

 Time spent: 9-10 hours

 2- Store XSS using the file attachment

 This XSS was very easy to find. But I found it at the end when the program was about to close. I am more curious about how nobody found it.

 I saw a file attachment feature and tested it as my regular technique. I uploaded request on burp and sent to intruder. Then uploaded all file extensions on burp to see what extensions are allowed.

Extensions which was allowed [.txt, .png, .jpg and  '.xhtml' . Yes .xhtml !! ]

 For POC I uploaded the below code and reported it.
<?xml version="1.0" encoding="iso-8859-1"?>  
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"   
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">   
<html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml">  
<head>  
<title>POC</title>  
</head>  
<body>  
<p>This is a POC</p>
<script>alert(document.cookie)</script>  
</body>  
</html>
Time spent: 1 hour

 3- Store XSS on the notification

 This type of XSS is my most favourite, I found it 3 times on different program. There was a feature on private-site.com, when a user performs any activity then follower user gets the notification. On notification the HTML tag was not sanitizing, So i used payload  "><svg/onload=alert(1337)> and made notification store xss.

 4- Store XSS using encoding

 I found that on one endpoint the data was stored on a user profile. But it was blocking < tag.
When I come across that situation, I just take the request on the burp and send the request to the intruder with the below payloads to see < sign can bypass or not.

 <
%3C
&lt
&lt;
&LT
&LT;
&#60
&#060
&#0060
&#00060
&#000060
&#0000060
&#X3C;
&#X03C;
&#X003C;
&#X0003C;
&#X00003C;
&#X000003C;
\x3c
\x3C
\u003c
\u003C

 Luckly, &#X000003C; was working. So i just used ">&#X000003C;svg/onload=alert(1337)>  and got store xss on user profile.

 5- Weird Store XSS

 This XSS took around 2-3 days to find a bypass. I am not allowed to use the exact term of the site that would help other to get clue. So it is one point where < and > sign was allowed but only width and height can be used.
For example:  < svg width=100 height=100> was allowed but when I used event handler it blocked. After two days I was about to give up. But I gave it one more day :)

 On one moment I sent the request to intruder with payload POST /< svg width=100 hight=100>test
 I forgot that i have added <svg width=100 hight=100>. So intruder tried different payload on 'test'. At one point the payload was
<svg width=100 hight=100><script>alert(1)</script>

 With the above payload, the store xss truly stored. Actually, the filter was checking the first HTML tag. It is really weird behaviour to me how this payload worked <svg><script>alert(1)</script>


Reach me on Facebook or Twitter

Comments

Post a Comment

Popular posts from this blog

How i was able to get admin panel on a private program

-
Hello everyone, I would like to disclose one of my recent finding in which I was able to get the admin panel on a private program. The program is private, so call it private-site.com. As many researchers believe in recon beforae hunting a target, same this law apply to me. Around two months ago I was invited in a private program, the first step I did to know all about the target. I strongly believe that recon is incomplete without using censys and shodan search engine. I always use it at first whenever choose a target. Same on that day I searched about the private-site.com. I was lucky by using the certificate base query as below https://censys.io/ipv4/help?q=80.https.tls.certificate.parsed.extensions.subject_alt_name.dns_names%3Aprivate-site.com When using the above query i got many open ports. So i directly hit the target with port and thinking something special will come in response. But with all ports i was getting reponse "ERR_CONNECTION_TIMED_OUT&
Read more

How To Test Cross Origin Resource Sharing Vulnerability (OTG-CLIENT-007)

-
Hello Everyone, This blog is all about Cross Origin Resource Sharing (CORS) Vulnerability. In my one year of research, I found various type of bypass, that I would like to discuss. I will keep this blog to the point without discussing backend reason, so that beginner can find it an easy one. If a site is allowing access control header at the output response then play with all the request and capture it on burp or any proxy you use. After getting all directory on burp -> target -> sitemap, then this is a good time to test !! Most of the people just test it on one point, but each directory has its own way to set access control header. So, test it on every directory. For example -dir1        -sub_dir1        -sub_dir2 -dir2        -sub_dir1        -sub_dir2 Here you need to test on dir1 and dir2. How To Test First, put any random character at origin header at the input and see the output response. POST/GET  /page/etc Host: example.com ...... origin: areyo
Read more