Explpoiting CORS misconfiguration

bugbaba.blogspot.com · devanshbatham/Awesome-Bugbounty-Writeups · 4 hours ago · bug-bounty
0 net
AI Summary

A researcher exploited CORS misconfiguration combined with reflected XSS on a Netgear subdomain to extract sensitive user data (email, age, gender, DOB) by sending malicious links that executed JavaScript in the attacker's context and exfiltrated API responses. The vulnerability required an endpoint that accepted subdomain origins and an XSS vulnerability on a whitelisted subdomain to execute the data theft payload.

Tags
cors-misconfiguration xss cross-site-scripting cross-origin-resource-sharing subdomain api-security credential-theft bug-bounty sensitive-data-exposure xmlhttprequest origin-validation
Entities
Netgear Bugcrowd James Kettle Daniel Bakker Kaushal Parikh Noman Shaikh
Exploiting CORS Misconfiguration using XSS Skip to main content Exploiting CORS Misconfiguration using XSS Get link Facebook X Pinterest Email Other Apps February 18, 2018 Hello All, This Post is about how i exploited a Cross Origin Resource Sharing (CORS) Misconfiguration with the help of Cross Site Scripting (XSS) After reporting some bugs to Netgear Kudos program I started getting old private program invites on Bugcrowd One of which was with 300+ researchers and running from 2015 I wasn't happy about that, As i thought I won't be able to find any thing as the program is running from such a long time and so many others have looked at it before me. Even if i will get something the chances of that being duplicate is high. But then Osama said this So I finally started looking at it and trying my best to find something, Got one P3 but it went duplicate :( But then I got an endpoint that was having simple CORS misconfiguration and the endpoint was giving user details like email address , age , g ender , DOB , etc in response It was triaged, paid and fix within a week I was happy and was planing to move on to other programs, Sadly none of them were as interesting as this one was. So started looking back at it again, During my initial recon phase i had found a reflected xss on their support portal But that subdomain was out of scope of the program. I don't know why but i just bookmarked it ¯\_(ツ)_/¯ Latter I found another endpoint that was also giving user details in response, But it was only accepting sub domain's as origin So in this case there are two options : Finding XSS on a Subdomain ( that I already had ) Subdomain Takeover Even after Reading these blogs multiple times, I wasn't able to understand the flow of the attack https://web-in-security.blogspot.in/2017/07/cors-misconfigurations-on-large-scale.html http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html After talking to a lot of people including James Kettle , Daniel Bakker and Kaushal parikh I was finally able to understand how the attack flow will be like 1. The attacker Send the XSS link to user with following Payload

2. This will send a GET request to site.com with origin as sub.site.com and then paste the response back to paragraph tag (in this case) 3. And Send the data to Attacker's Server using JavaScript I quickly reproduce it twice just to be sure and submitted the Report The Bugcrowd Analyst replied this So after sharing few messages,I was able to convince him and it was triaged and paid, The client replied this ^_^ Lessons Learned : Just because the program is old and so many people have looked at it, It doesn't mean there is nothing to find. XSS is lub <3 While i can't share the original poc, But i have tried to re-create the same scenario on my local machine you can get the code from my profile on Github . Thanks for reading Hopefully we will meet next time with another cool finding :) -- Regards, Noman Shaikh Bugbounty XSS Get link Facebook X Pinterest Email Other Apps Comments Unknown 19 February 2018 at 00:02 Nice find sir. 😄 Reply Delete Replies Noman Shaikh 19 February 2018 at 00:09 Thanks Sir :D Delete Replies Reply Reply gopi 19 February 2018 at 00:46 If my understanding is correct,You are displaying sensitive data from main site to subdomain site < P > tag. Just displaying sensitive data in subdomain site is issue? How it can be exploited real time scenario.? Reply Delete Replies Noman Shaikh 19 February 2018 at 00:52 Just doing that is not an issue But, as we can get sensitive data from main domain to a subdomain and we have xss on that subdomain that is we can run JavaScript in the context of that site and using JavaScript we can send the data to any server instead of displaying that. Delete Replies Reply gopi 19 February 2018 at 01:09 Got it .Thanks! Delete Replies Reply Reply Unknown 19 February 2018 at 01:07 Sahi hai! Nice find! Reply Delete Replies Reply securityprince 6 March 2018 at 01:10 Great finding bro, keep it up! Reply Delete Replies Noman Shaikh 7 March 2018 at 06:57 Thanks ;) Delete Replies Reply Reply Pranav 3 May 2019 at 22:52 Sir please provide me CORS payload Reply Delete Replies Reply Add comment Load more... Post a Comment Popular posts from this blog XSS Because of wrong Content-type Header August 04, 2017 Hello All, XSS because of Wrong content type in InternShala.com Internshala : Internshala is an internship platform, this website helps students find internships with organisations in India - wiki While checking this site I got an endpoint which didn't had CSRF protection. I can change the user details (name, address,etc) Not email :( One thing that was weird with that endpoint was that it was giving a JSON response But the content type header was not : application/javascript Rather it was set as : text/html I was fiddling with that as I knew if we can inject html then we can get XSS here :D But they had filters so it was just HTML Injection -_- that isn't cool to report But there was another parameter current_city_administrative_area_level_2 changing its value caused and error Lets Build Payload Problem no (1) White space was not allowed ... Read more Two Factor Authentication Bypass | SendGrid September 15, 2017 Hello All, Today I will be sharing how I was able to Bypass SendGrid 2FA What is SendGrid : A Cloud-based email service to deliver emails on behalf of companies having 55,000+ customers ~ https://sendgrid.com/about/ What is Two Factor Authentication : Two-Factor Authentication (2FA) is a type of multi-factor authentication confirming a user’s claimed identity by utilizing a combination of two different authentication methods. 2FA makes it harder for potential intruders to gain access and steal user’s personal data or identity. ~ https://en.wikipedia.org/wiki/Multi-factor_authentication My Story with them : I started looking for bugs in SendGrid and after trying whole night i found a XSS Reported it and when to sleep peacefully Next morning I checked my email The bug went duplicate :( It felt bad I didn't want to test further so I went to delete my account ( I don't want emails from them :__: ) I... Read more --> Noman Shaikh Visit profile Archive February 2018 1 January 2018 1 September 2017 1 August 2017 1 July 2017 1
← Back to stories