Unexploitable CORS can lead to Stored XSS?



Heeeeeeey guys, this is the last bug I found but I liked it so I wanna share the idea with you let's go.

Find CORS

our target here is a private program on HackerOne so let's call it example.com, this website almost all endpoints is vulnerable to CORS 😂, I found a CORS in an endpoint which changing my name but the response didn't include private information to steal so it was unexploitable.

Find Self-Stored XSS

I spent hours testing the application and I found an interesting thing one of the endpoints display the current user's information in JSON format but the issue here is the Content-Type of the response is text/html and this is the first WOW, I looked to this information and I found that there is a parameter include the name of the user so I can change it and this is the second WOW, I get back and add an XSS payload on the name, after saving the payload I opened the endpoint and as expected the payload executed, and this is an example of the endpoint path

http://example.com/user/info 

Exploit CORS

now we have a CORS and Self-XSS what we can do?! if you asked anyone about what is CORS he/she will say it is a bug we can use to steal the response from an endpoint allow any external domain sending requests to it with cookies, right? this is a good answer but what is actually the bug here I can send requests to this endpoint but there is nothing to steal, what if I just used it to change the user name this will be CSRF so I tried this idea but it didn't work after testing the headers I found that the endpoint is checking the content-type header from the request if it is not application/json it will not be accepted and guess what? we can add headers in the request using CORS vulnerability 😎 so I wrote an exploit to change the user name, and this is the code to make CORS a CSRF

this code is sending the request to change the name of the user.

Get the Stored XSS

now we have a CSRF to change the user name so we can try to add our XSS payload on it and make the user open the endpoint which displays the name of the user and will execute our XSS payload so I added a second part to our exploit, so the next code will send a request with the content-type to add our XSS payload to the name of the user and after 3 seconds the code will open the page which vulnerable to XSS


and this is the full exploit of this bug, I didn't get my reward yet 😢.


GoodBye Guys 👋, See you soon 👋

Comments

Popular posts from this blog

[BlackHatMEA-CTF 2024] cockatoo PWN challenge

[WEB] ASC Wargame CTF 2024 - Challenge Hot Proxy

Lets Analysis STM32F103 Chip Firmware from Attify