PortSwigger Academy defines CORS vulnerability as follows:
“Cross-origin resource sharing (CORS) is a browser mechanism which enables controlled access to resources located outside of a given domain. It extends and adds flexibility to the same-origin policy. However, it also provides potential for cross-domain attacks, if a website’s CORS policy is poorly configured and implemented.”
The goal of this lab is to obtain an administrator API key through insecure CORS configuration. We already have a basic user account on the vulnerable webapp which we will use for pentesting. We also have an access to a server to use for exploiting vulnerabilities.
When we log into the account, we see our API key.
When we look at this particular request in BurpSuite in /accountDetails, we see “Access-Control-Allow-Credentials: true” response. We send it to the repeater.
Manually inserting the ”Origin” header shows the 200 OK response, meaning there is a CORS vulnerability we can exploit.
We can use the following script provided by PortSwigger Academy with changing the URL to the vulnerable webapp we are targeting. We deliver the exploit to the victim and then check out the log to see the admin key.
It is encoded, so we need to decode it as a URL to see the API key.
Once it is done, we submit the key and thus solve the lab.
