Simple CORS misconfig leads to disclose the sensitive token worth of $$$
Hey fellow hacker’s and Bug hunters , Recently i found some weird CORS misconfiguration in one of my targets.
If you don’t know what is CORS then learn from here.
Let’s assume the target as target.com . I started to extract the subdomains of target and saved it as target_subdomains.txt and extracted waybackurls for all the subdomains.
cat target_subdomains.txt | waybackurls >> target_waybackurls.txt
The waybackurls file has huge number of urls count of 10 lakh+ lines.
I started to search for sensitive words like token,password,amount etc… After 1–2 hours of searching , I’ve found one api endpoint which looks like
https://www-api.target.com/api/user/info/emailThis api endpoint leaks the token which is used to authenticate a user for many api endpoints.this api response has two headers as
Access-Control-Allow-Origin: https://target.com
Access-Control-Allow-Credentials: trueI changed the Origin header in request as http://mysite.com but the response didn’t allowed that mysite.com and again i gave the origin as mysite.target.com now the target allowed this origin.
So, After this i simply gave the Origin as mysitetarget.com .Surprisingly it allowed this origin . i was like WTH!!!!
Now i can able to steal any user’s token from mysitetarget.com origin .I only need to buy the mysitetarget.com .
— — — — — — — — — — — — — — — — — — END — — — — — — — — — — — — — — — — —
Follow me for more bug hunting writeup’s
Follow me on Instagram : https://www.instagram.com/ram_0x_infosec/
Follow me on Twitter : https://twitter.com/Ram00733925
Connect with me on Linkedin : https://www.linkedin.com/in/ram0xinfosec/
