Unexploitable CORS can lead to Stored XSS?

-


Heeeeeeey guys, this is the last bug I found but I liked it so I wanna share the idea with you let's go.

Find CORS

our target here is a private program on HackerOne so let's call it example.com, this website almost all endpoints is vulnerable to CORS ðŸ˜‚, I found a CORS in an endpoint which changing my name but the response didn't include private information to steal so it was unexploitable.

Find Self-Stored XSS

I spent hours testing the application and I found an interesting thing one of the endpoints display the current user's information in JSON format but the issue here is the Content-Type of the response is text/html and this is the first WOW, I looked to this information and I found that there is a parameter include the name of the user so I can change it and this is the second WOW, I get back and add an XSS payload on the name, after saving the payload I opened the endpoint and as expected the payload executed, and this is an example of the endpoint path

http://example.com/user/info 

Exploit CORS

now we have a CORS and Self-XSS what we can do?! if you asked anyone about what is CORS he/she will say it is a bug we can use to steal the response from an endpoint allow any external domain sending requests to it with cookies, right? this is a good answer but what is actually the bug here I can send requests to this endpoint but there is nothing to steal, what if I just used it to change the user name this will be CSRF so I tried this idea but it didn't work after testing the headers I found that the endpoint is checking the content-type header from the request if it is not application/json it will not be accepted and guess what? we can add headers in the request using CORS vulnerability ðŸ˜Ž so I wrote an exploit to change the user name, and this is the code to make CORS a CSRF

this code is sending the request to change the name of the user.

Get the Stored XSS

now we have a CSRF to change the user name so we can try to add our XSS payload on it and make the user open the endpoint which displays the name of the user and will execute our XSS payload so I added a second part to our exploit, so the next code will send a request with the content-type to add our XSS payload to the name of the user and after 3 seconds the code will open the page which vulnerable to XSS


and this is the full exploit of this bug, I didn't get my reward yet ðŸ˜¢.


GoodBye Guys ðŸ‘‹, See you soon ðŸ‘‹

Comments

Post a Comment

Popular posts from this blog

Exploit & Debug Looney Tunables CVE-2023-4911 Local Privilege Escalation in the glibc's ld.so

-
Image
Hoi, let's try to debug and explain CVE-2023-4911 which is a buffer overflow in the glibc loader my debugging and exploit tested on Ubuntu 22.04.2 (Jammy Jellyfish), you can read the analysis and more information from the Qualys Security writeup . POC to check if you are vulnerable or not env -i "GLIBC_TUNABLES=glibc.malloc.mxfast=glibc.malloc.mxfast=A" "Z=`printf '%08192x' 1`" /usr/bin/su --help My exploit POC video takes 5m but I speeded up the video Preparing let's disable ASLR and debug our exploit echo 0 | sudo tee /proc/sys/kernel/randomize_va_space you have to know (from qualys security): On Linux, the stack is randomized in a 16GB region, and our environment strings can occupy up to 6MB (_STK_LIM / 4 * 3, in the kernel's bprm_stack_limits()): after 16GB / 6MB = 2730 tries we have a good chance of guessing the address of our environment strings. using the buffer overflow vulnerability in the tunables we will overflow the link_map struct wh
Read more

Lets Analysis STM32F103 Chip Firmware from Attify

-
Image
( بِسْÙ…ِ اللَّـهِ الرَّØ­ْÙ…َÙ€ٰÙ†ِ الرَّØ­ِيمِ ) Let's start our blog. As we know any IoT device should have a firmware to run it and there is a thought that it is secure by default because it is in a board, but we know that we can dump this firmware, our firmware know is already shared with us something like training to learn basics of reversing firmware. you can download the firmware from here . if we run the file command on the firmware we will find this "STM32F103C-firmware.bin: data" and if we try to get the architecture using binwalk it will return empty result "binwalk -A STM32F103C-firmware.bin" but we don't need this because it is a famous chip and we can know what we want from google. After searching for the chip name STM32F103C we will open its default page you will know that it run using "ARM Cortex M3" we will need that later, it is time to analysis using Ghidra. Analysis Dropping the firmware file to Ghidra but it will not detect anything
Read more

Using CSRF I Got Weird Account Takeover

-
Image
Hi guys, I'm back again this bug was interesting and weird let's start. let's refer to the target's name as (target.com) I start to test the domain like what I do in my testing, I used sublist3r to enumerate the subdomains, in one of these subdomains I start to test the password reset function I sent a request to my email to change the password, i opened the link and sent the request to change the password but i used my Burp to see the request and it looks like that there is a token for CSRF I tested this token and deleted it but the change happens, that means there is no filtring for this token there is a CSRF bug here and there is another thing the token of reset password not in the request not in the cookies or in the body so i think it's in the sessions and how i knew that? I test the function of reset password I sent another link to my account and i sent the same request but it returns 403, I opened the new reset link bug didn't use it and I go b
Read more