description |
---|
CWE-346: Origin Validation Error |
Cross-origin resource sharing (CORS) is a browser mechanism which enables controlled access to resources located outside of a given domain.
- Use
[CorsMe](<https://github.com/Shivangx01b/CorsMe>)
to Check all urlscat http_https.txt | ./CorsMe -t 70
-
Origin:null
-
Origin:attacker.com
-
Origin:attacker.target.com
-
Origin:attackertarget.com
-
Origin:sub.attackertarget.com
-
Origin:attacker.com and then change the method Get to post/Post to Get
-
Origin:sub.attacker target.com
-
Origin:sub.attacker%target.com
-
Origin:attacker.com/target.com
-
Origin:expected-host.com.attacker.com
-
expected-host.computer
-
foo@evil-host:80@expected-host
-
foo@evil-host%20@expected-host
-
evil-host%09expected-host
-
127.1.1.1:80\\\\@127.2.2.2:80
-
127.1.1.1:80:\\\\@@127.2.2.2:80
-
127.1.1.1:80#\\\\@127.2.2.2:80
-
ß.evil-host
- Method 1 ( Single_target)
Step->1. Capture the target website and spider or crawl all the website using burp.
Step->2. Use burp search look for Access-Control
Step->3. Try to add Origin Header i.e,Origin:attacker.com or Origin:null or Origin:attacker.target.com or Origin:target.attacker.com
Step->4 If origin is reflected in response means the target is vuln to CORS
- Method 2 (Multiple)
step 1-> find domains i.e subfinder -d target.com -o domains.txt
step 2-> check alive ones : cat domains.txt | httpx | tee -a alive.txt
step 3-> send each alive domain into burp i.e, cat alive.txt | parallel -j 10 curl --proxy "<http://127.0.0.1:8080>" -sk 2>/dev/null
step 4-> Repeat hunting method 1
- CORS bug on google's 404 page (rewarded)
- CORS misconfiguration leading to private information disclosure
- CORS misconfiguration account takeover out of scope to grab items in scope
- Chrome CORS
- Bypassing CORS
- CORS to CSRF attack
- An unexploited CORS misconfiguration reflecting further issues
- Think outside the scope advanced cors exploitation techniques
- A simple CORS misconfiguration leaked private post of twitter facebook instagram
- Explpoiting CORS misconfiguration
- Full account takeover through CORS with connection sockets
- Exploiting insecure CORS API api.artsy.net
- Pre domain wildcard CORS exploitation
- Exploiting misconfigured CORS on popular BTC site
- Abusing CORS for an XSS on flickr