Simple CORS misconfig leads to disclose the sensitive token worth of $$$

Hey fellow hacker’s and Bug hunters , Recently i found some weird CORS misconfiguration in one of my targets.

If you don’t know what is CORS then learn from here.

Let’s assume the target as target.com . I started to extract the subdomains of target and saved it as target_subdomains.txt and extracted waybackurls for all the subdomains.

cat target_subdomains.txt | waybackurls >> target_waybackurls.txt

The waybackurls file has huge number of urls count of 10 lakh+ lines.

I started to search for sensitive words like token,password,amount etc… After 1–2 hours of searching , I’ve found one api endpoint which looks like

https://www-api.target.com/api/user/info/email

This api endpoint leaks the token which is used to authenticate a user for many api endpoints.this api response has two headers as

Access-Control-Allow-Origin: https://target.com
Access-Control-Allow-Credentials: true

I changed the Origin header in request as http://mysite.com but the response didn’t allowed that mysite.com and again i gave the origin as mysite.target.com now the target allowed this origin.

So, After this i simply gave the Origin as mysitetarget.com .Surprisingly it allowed this origin . i was like WTH!!!!

Now i can able to steal any user’s token from mysitetarget.com origin .I only need to buy the mysitetarget.com .

— — — — — — — — — — — — — — — — — — END — — — — — — — — — — — — — — — — —

Follow me for more bug hunting writeup’s

Follow me on Instagram : https://www.instagram.com/ram_0x_infosec/

Follow me on Twitter : https://twitter.com/Ram00733925

Connect with me on Linkedin : https://www.linkedin.com/in/ram0xinfosec/