How To Test Cross Origin Resource Sharing Vulnerability (OTG-CLIENT-007)

Hello Everyone, This blog is all about Cross Origin Resource Sharing (CORS) Vulnerability. In my one year of research, I found various type of bypass, that I would like to discuss. I will keep this blog to the point without discussing backend reason, so that beginner can find it an easy one. If a site is allowing access control header at the output response then play with all the request and capture it on burp or any proxy you use. After getting all directory on burp -> target -> sitemap, then this is a good time to test !! Most of the people just test it on one point, but each directory has its own way to set access control header. So, test it on every directory. For example -dir1        -sub_dir1        -sub_dir2 -dir2        -sub_dir1        -sub_dir2 Here you need to test on dir1 and dir2. How To Test First, put any random character at origin header at the input and see the output response. POST/GET  /page/etc Host: example.com ...... origin: areyo

How i was able to get admin panel on a private program

Hello everyone,

I would like to disclose one of my recent finding in which I was able to get the admin panel on a private program. The program is private, so call it private-site.com.


As many researchers believe in recon beforae hunting a target, same this law apply to me. Around two months ago I was invited in a private program, the first step I did to know all about the target.

I strongly believe that recon is incomplete without using censys and shodan search engine. I always use it at first whenever choose a target. Same on that day I searched about the private-site.com. I was lucky by using the certificate base query as below


https://censys.io/ipv4/help?q=80.https.tls.certificate.parsed.extensions.subject_alt_name.dns_names%3Aprivate-site.com

When using the above query i got many open ports. So i directly hit the target with port and thinking something special will come in response. But with all ports i was getting reponse "ERR_CONNECTION_TIMED_OUT"


I used nmap and knew that all the port are filter/close which censys showing open, that's means the data was old or something has been fixed. One more thing i do is, i check all site which match the certificate. For example, by using the above query i also got some ip which resolved to different site but had the same certificate.


There was around 30 ip which i got and was opening every site. One ip which resolved to http://ip_detail.us-west-1.compute.amazonaws.com got my attention. The site opened with login page. At that point i was confused whether to test further or not because only the private-site.com was in scope. 


To be honest i was not in mood to test it but i just put user:admin and password:admin and hit the button login and got internal access. All the information was there about user private information which was belong to private-site.com. So i repoted the bug.


The bug was fixed within an hour after reporting it. After two hour i got reply from security team.

"We’ve just been discussing this some more. One of the IPs we have been looking at in more detail shows some manual looking interactions where they are creating |||||||||||. We are still working out what these |||||||||| might do but the attempts feel like it could be a bugbounty researcher."

I do not know the exact matter but i made it clear about my ip and the duration in which i got access. 

Bug reported : 25 Feb 
Bug resolved : 25 Feb 
Bounty awarded : 1500$ on 26 Feb

Reach me on Facebook or Twitter

Comments

Popular posts from this blog

How I found 5 store XSS on a private program. Each worth "1,016.66$"

How To Test Cross Origin Resource Sharing Vulnerability (OTG-CLIENT-007)