CORS

CWE-346: Origin Validation Error

What is CORS (cross-origin resource sharing)?

Cross-origin resource sharing (CORS) is a browser mechanism which enables controlled access to resources located outside of a given domain.

Misconfigured CORS

• Use [CorsMe](<https://github.com/Shivangx01b/CorsMe>) to Check all urls cat http_https.txt | ./CorsMe -t 70

• Origin:null

• Origin:attacker.com

• Origin:attacker.target.com

• Origin:attackertarget.com

• Origin:sub.attackertarget.com

• Origin:attacker.com and then change the method Get to post/Post to Get

• Origin:sub.attacker target.com

• Origin:sub.attacker%target.com

• Origin:attacker.com/target.com

• Origin:expected-host.com.attacker.com

• expected-host.computer

• foo@evil-host:80@expected-host

• foo@evil-host%20@expected-host

• evil-host%09expected-host

• 127.1.1.1:80\\\\@127.2.2.2:80

• 127.1.1.1:80:\\\\@@127.2.2.2:80

• 127.1.1.1:80#\\\\@127.2.2.2:80

• ß.evil-host

• Method 1 ( Single_target)

Step->1. Capture the target website and spider or crawl all the website using burp.
Step->2. Use burp search look for Access-Control
Step->3. Try to add Origin Header i.e,Origin:attacker.com or Origin:null or Origin:attacker.target.com or Origin:target.attacker.com
Step->4  If origin is reflected in response means the target is vuln to CORS

---

• Method 2 (Multiple)

step 1-> find domains i.e subfinder -d target.com -o domains.txt
step 2-> check alive ones : cat domains.txt | httpx | tee -a alive.txt
step 3-> send each alive domain into burp i.e, cat alive.txt | parallel -j 10 curl --proxy "<http://127.0.0.1:8080>" -sk 2>/dev/null
step 4-> Repeat hunting method 1

Reports

• CORS bug on google's 404 page (rewarded)

• CORS misconfiguration leading to private information disclosure

• CORS misconfiguration account takeover out of scope to grab items in scope

• Chrome CORS

• Bypassing CORS

• CORS to CSRF attack

• An unexploited CORS misconfiguration reflecting further issues

• Think outside the scope advanced cors exploitation techniques

• A simple CORS misconfiguration leaked private post of twitter facebook instagram

• Explpoiting CORS misconfiguration

• Full account takeover through CORS with connection sockets

• Exploiting insecure CORS API api.artsy.net

• Pre domain wildcard CORS exploitation

• Exploiting misconfigured CORS on popular BTC site

• Abusing CORS for an XSS on flickr