Bypass CORS Filter leads to CSRF Application Wide

let's start reading?

I will call my target [example.com].

I was testing my target and found the target is using one endpoint to do actions in this domain if you want to show a page or update information the application will send a request to the same endpoint but with different parameters in JSON format, like the following screenshot


you can notice that there is no CSRF Token or any Custom-Header to prevent the CSRF Attacks, so I wrote an exploit code to try the CSRF Attack and it didn't work so what happens?

I found that the server is checking on the origin which sends the request all checks are on it it just accepts requests from trusted domains [http://*.example.com], I tried a lot of bypasses to break this filter but I couldn't so it was a wall that prevents me from making it a valid bug.

I took a few minutes to think about it and I found something can I try which is Null Origin I tried it in the header and it works the check is disabled and the request works without any issues so we have a chance here.


so now I want to send a request to this endpoint with Null Origin because if the request added an Origin header with the name of a domain like [test.com] the request will be blocked because we are not trusted for the server, to send a request with null origin value we can use the [iframe] tag with [src] attribute, [src] attribute we can use [data:text/html] to execute our JS code which will send the request to the endpoint and the origin will be null too

our [src] we added a script tag that includes a JS file that will contain our full exploit which will be like this one

This is a simple JS code to send a request to the endpoint with the body of the request which will make the action this endpoint used to Delete, Add, and Open files.

But there is another attack with it, I found a Self-XSS a few days ago but it will not be accepted because it is a Self one so how does this XSS work, first I should open the search tab this happen with a request to the same endpoint and write the payload in the search field this one happen with a request to the same endpoint too.

So with our attack and the Self-XSS, I could create an exploit code to send a request to the endpoint with the right body to open the search tab and after 3 seconds (wait until loading the tab) the exploit code will send the next request to set the XSS payload and make it work, the following is the exploit code

So what happened here, I found that null origin is helping me to bypass the filter on the origin's value I chained it with my Self-XSS to make it valid XSS, but I can use it as CSRF Application Wide too because we can send all requests with our payload just add the body for this action.


I hope that this helps you ;-).

Thanks.




Comments

Popular posts from this blog

[BlackHatMEA-CTF 2024] cockatoo PWN challenge

[WEB] ASC Wargame CTF 2024 - Challenge Hot Proxy

Lets Analysis STM32F103 Chip Firmware from Attify