0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

GitBook: [#3147] No subject

This commit is contained in:
CPol 2022-04-29 14:06:04 +00:00 committed by gitbook-bot
parent 9c1fd6ac98
commit 23500ef90a
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
1 changed files with 18 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
pentesting-web/cors-bypass.md
View File

@ -1,4 +1,4 @@
# CORS - Misconfigurations & Bypass
<details>
@ -16,9 +16,6 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
# CORS - Misconfigurations & Bypass
## What is CORS
The CORS (Cross-origin resource sharing) standard is needed because it **allows servers to specify who can access its assets** and which **HTTP request methods are allowed** from external resources.
@ -38,13 +35,13 @@ The following table shows how the same-origin policy will be applied in `http://
\*_Internet Explorer will allow this access because IE does not take account of the port number when applying the same-origin policy._
### `Access-Control-Allow-Origin` Header
#### `Access-Control-Allow-Origin` Header
The specification of `Access-Control-Allow-Origin` allows for **multiple origins**, or the value **`null`**, or the wildcard **`*`**. However, **no browser supports multiple origins** and there are **restrictions** on the use of the **wildcard** `*`.(_The wildcard can only be used alone, this will fail `Access-Control-Allow-Origin: https://*.normal-website.com` and it cannot be used with_ _Access-Control-Allow-Credentials: true_)
This header is **returned by a server** when a website requests a cross-domain resource, with an `Origin` header added by the browser.
### `Access-Control-Allow-Credentials` Header
#### `Access-Control-Allow-Credentials` Header
The **default** behaviour of cross-origin resource requests is for **requests** to be **passed without credentials** like cookies and the Authorization header. However, the cross-domain server can **permit reading** of the **response** when **credentials** are **passed** to it by setting the CORS **`Access-Control-Allow-Credentials`** header to **`true`**.
@ -77,7 +74,7 @@ xhr.onreadystatechange = handler;
xhr.send('<person><name>Arun</name></person>');
```
### Pre-flight request
#### Pre-flight request
Under certain circumstances, when a cross-domain request:
@ -139,7 +136,7 @@ One notable exception is when the **victim's network location functions as a kin
### Reflected `Origin` in `Access-Control-Allow-Origin`
In the real world this cannot happen as **this 2 values of the headers are forbidden together**.\
It is also true that a lot of developers want to **allow several URLs in the CORS**, but subdomain wildcards or lists of URLs aren't allowed. Then, several developers **generates** the **`Access-Control-Allow-Origin`**header **dynamically**, and in more than one occasion they just **copy the value of the Origin header**.
It is also true that a lot of developers want to **allow several URLs in the CORS**, but subdomain wildcards or lists of URLs aren't allowed. Then, several developers **generates** the \*\*`Access-Control-Allow-Origin`\*\*header **dynamically**, and in more than one occasion they just **copy the value of the Origin header**.
In that case, the **same vulnerability might be exploited.**
@ -226,13 +223,13 @@ Assuming that a user has access to sub.requester.com but not requester.com, and
If the stars are aligned we may be able to use server-side cache poisoning via HTTP header injection to create a [stored XSS](https://portswigger.net/web-security/cross-site-scripting/stored) vulnerability.
If an application **reflects** the **Origin header** without even checking it for illegal characters like **\r**, we effectively have a **HTTP header injection vulnerability against IE/Edge users as Internet Explorer and Edge view \r (0x0d) as a valid HTTP header terminator**:`GET / HTTP/1.1` \
If an application **reflects** the **Origin header** without even checking it for illegal characters like , we effectively have a **HTTP header injection vulnerability against IE/Edge users as Internet Explorer and Edge view \r (0x0d) as a valid HTTP header terminator**:`GET / HTTP/1.1`\
`Origin: z[0x0d]Content-Type: text/html; charset=UTF-7`
Internet Explorer sees the response as:
`HTTP/1.1 200 OK` \
`Access-Control-Allow-Origin: z` \
`HTTP/1.1 200 OK`\
`Access-Control-Allow-Origin: z`\
`Content-Type: text/html; charset=UTF-7`
This isn't directly exploitable because there's no way for an attacker to make someone's web browser send such a malformed header, but I can **manually craft this request in Burp Suite and a server-side cache may save the response and serve it to other people**. The payload I've used will change the page's character set to **UTF-7**, which is notoriously useful for creating XSS vulnerabilities.
@ -286,7 +283,7 @@ Try to add a **`callback`** **parameter** in the request. Maybe the page was pre
You can ask a web-application to make a request for you and send back the response. This will bypass the **`Access-Control-Allow-Origin`** but notice that the **credentials to the final victim won't be sent** as you will be **contacting a different domain** (the one that will make the request for you).
#### [CORS-escape](https://github.com/shalvah/cors-escape)
[**CORS-escape**](https://github.com/shalvah/cors-escape)
CORS-escape provides a **proxy** that **passes** on our **request** along with its **headers**, and it also **spoofs** the **Origin** header (Origin = **requested domain**). So the **CORS policy is bypassed**.\
The source code is [on Github](https://github.com/shalvah/cors-escape), so you can **host your own**.
@ -295,10 +292,18 @@ The source code is [on Github](https://github.com/shalvah/cors-escape), so you c
xhr.open("GET", "https://cors-escape.herokuapp.com/https://maximum.blog/@shalvah/posts");
```
#### [simple-cors-escape](https://github.com/shalvah/simple-cors-escape)
[**simple-cors-escape**](https://github.com/shalvah/simple-cors-escape)
Proxying is kinda like “passing on" your request, exactly as you sent it. We could solve this in an alternative way that still involves someone else making the request for you, but this time, **instead of using passing on your request, the server makes its own request, but with whatever parameters you specified.**
### Iframe + Popup Bypass
You can **bypass CORS checks** such as `e.origin === window.origin` by **creating an iframe** and **from it opening a new window**. More information in the following page:
{% content-ref url="xss-cross-site-scripting/iframes-in-xss-and-csp.md" %}
[iframes-in-xss-and-csp.md](xss-cross-site-scripting/iframes-in-xss-and-csp.md)
{% endcontent-ref %}
### DNS Rebinding
![](<../.gitbook/assets/image (108).png>)
@ -334,7 +339,6 @@ Also, I don't know why this attack plays with the TLS of the DNS instead of just
{% embed url="https://medium.com/entersoftsecurity/every-bug-bounty-hunter-should-know-the-evil-smile-of-the-jsonp-over-the-browsers-same-origin-438af3a0ac3b" %}
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
@ -350,5 +354,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>