{"id":13649822,"url":"https://github.com/incredibleindishell/CORS_vulnerable_Lab-Without_Database","last_synced_at":"2025-04-22T15:31:04.392Z","repository":{"id":47533187,"uuid":"347602429","full_name":"incredibleindishell/CORS_vulnerable_Lab-Without_Database","owner":"incredibleindishell","description":null,"archived":false,"fork":false,"pushed_at":"2021-08-25T03:01:03.000Z","size":17034,"stargazers_count":64,"open_issues_count":0,"forks_count":9,"subscribers_count":3,"default_branch":"main","last_synced_at":"2024-08-03T02:03:16.821Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/incredibleindishell.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-03-14T10:11:40.000Z","updated_at":"2024-07-18T12:01:26.000Z","dependencies_parsed_at":"2022-09-23T12:33:45.792Z","dependency_job_id":null,"html_url":"https://github.com/incredibleindishell/CORS_vulnerable_Lab-Without_Database","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/incredibleindishell%2FCORS_vulnerable_Lab-Without_Database","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/incredibleindishell%2FCORS_vulnerable_Lab-Without_Database/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/incredibleindishell%2FCORS_vulnerable_Lab-Without_Database/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/incredibleindishell%2FCORS_vulnerable_Lab-Without_Database/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/incredibleindishell","download_url":"https://codeload.github.com/incredibleindishell/CORS_vulnerable_Lab-Without_Database/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":223900372,"owners_count":17222028,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-02T02:00:26.638Z","updated_at":"2024-11-10T00:31:47.859Z","avatar_url":"https://github.com/incredibleindishell.png","language":"PHP","readme":"\n# CORS misconfiguration vulnerable Lab\nThis Repository contains CORS misconfiguration related vulnerable codes. One can configure the Vulnerable code on local machine to perform practical exploitation of CORS related misconfiguration issues.\n\nI would like to say Thank You to @albinowax (For his work in CORS exploitation), AKReddy and Vivek Sir (For being great personalities who always supported me) and Andrew Sir - @vanderaj (for his encouraging words)\n\n![](https://raw.githubusercontent.com/incredibleindishell/CORS_vulnerable_Lab-Without_Database/main/images/lab_login.png)\n\n# Run docker image \n```\ngit clone https://github.com/incredibleindishell/CORS_vulnerable_Lab-Without_Database.git\ncd CORS_vulnerable_Lab-Without_Database\ndocker build . -t \u003ctagname\u003e\ndocker run -d -p 8000:80 \u003ctagname\u003e\n```\n\u003e Access it as http://localhost:8000 \n# Setup the lab on Machine locally \nFollowing are the pre-requities to configure the vulnerable code on local/remote machine\n\n  1. Apache web server\n  2. PHP 5/7\n  \n\n\u003cb\u003eSteps to Configure:\u003c/b\u003e\n\n1. Download and extract the codes in \"htdocs\" or webroot  directory of the web server.\n2. Access the \"CORS Vulnerable Lab\" application.\n3. Login credentials are already specified in input fields, just click \"Let Me In\" button and you are ready to play with the lab. \n\n\n# Challenges available in this lab\nThere are 3 misconfiguration which are simulated in this Lab. \n\n![](https://raw.githubusercontent.com/incredibleindishell/CORS-vulnerable-Lab/master/images/lab.png)\n\n\u003cb\u003eApplication Trust Arbitrary Origin\u003c/b\u003e\n\nApplication accept CORS request from any Origin. The code put the \"Origin\" value in HTTP response header \"Access-Control-Allow-Origin\". Now, this configuration will allow any script from any \"Origin\" to make CORS request to application. Web browser will perform standard CORS request checks and Script from malicious domain will be able to steal the data. \n\n\u003cb\u003eApplication has bad \"regex\" Implementation to check Trusted Origin\u003c/b\u003e\n\nApplication has CORS policy implemented and perform \"Regex\" check for whitelisted Domain/Sub-domains. In this scenario, application has weak regex implementation in code which just check for presence of domain name \"b0x.com\" anywhere in HTTP request \"Origin\" header. If HTTP header \"Origin\" has value \"inb0x.com\" or b0x.comlab.com, regex will mark it pass. This misconfiguration will lead to sharing of data over cross origin. \n\n\u003cb\u003eApplication Trust \"null\" Origin\u003c/b\u003e\n\nIn this scenario, application HTTP response header \"Access-Control-Allow-Origin\" is always set to \"null\". When user specify any value other than null, application does not process it and keep reflecting \"null\" in HTTP response. There are few tricks which allow an attacker to perform exploitation and can ex-filtrate data of victim using CORS request. \n\n\u003cb\u003eExamples:\u003c/b\u003e\n\n\u003cb\u003eApplication Trust Arbitrary Origin\u003c/b\u003e\n\nApplication accept any value specified in \"Origin\" header.\n![](https://raw.githubusercontent.com/incredibleindishell/CORS-vulnerable-Lab/master/images/arbitrary_origin.png)\n\nExploitation Demo\n\n![](https://github.com/incredibleindishell/CORS-vulnerable-Lab/blob/master/POCs/CORS_policy_arbitrary_origin_exploit.gif)\n\n\u003cb\u003eApplication has bad \"regex\" Implementation to check Trusted Origin\u003c/b\u003e\n\nApplication is trusting whitelisted Origin.\n![](https://raw.githubusercontent.com/incredibleindishell/CORS-vulnerable-Lab/master/images/bad_regex%201.png)\n\nApplication is not allowing any arbitrary Origin.\n![](https://raw.githubusercontent.com/incredibleindishell/CORS-vulnerable-Lab/master/images/bad_regex%202.png)\n\nApplication weak regex allowing an Origin which has whitelisted domain string in starting of the domain name.\n![](https://raw.githubusercontent.com/incredibleindishell/CORS-vulnerable-Lab/master/images/bad_regex%203.png)\n\nApplication weak regex allowing an Origin which has whitelisted domain string in the end of the domain name.\n![](https://raw.githubusercontent.com/incredibleindishell/CORS-vulnerable-Lab/master/images/bad_regex%204.png)\n\n\u003cb\u003eApplication Trust \"null\" Origin\u003c/b\u003e\n\nApplication accept \"null\" value specified in \"Origin\" header.\n![](https://raw.githubusercontent.com/incredibleindishell/CORS-vulnerable-Lab/master/images/null_origin%202.png)\n\nApplication is not accepting any value other then \"null\" \"Origin\".\n![](https://raw.githubusercontent.com/incredibleindishell/CORS-vulnerable-Lab/master/images/null_origin%202.png)\n\nExploitation Demo\n\n![](https://github.com/incredibleindishell/CORS-vulnerable-Lab/blob/master/POCs/CORS_policy_null_origin_exploit_chrome.gif)\n\n\u003cb\u003e Ex-filtrating data to attacker controlled server\n\n![](https://github.com/incredibleindishell/CORS-vulnerable-Lab/blob/master/POCs/Data%20ex-filtration.gif)\n\nOfcourse, \n\u003cbr\u003e\u003cb\u003e--==[[ With Love From IndiShell ]]==--\u003c/b\u003e \u003cimg src=\"https://web.archive.org/web/20140704135452/freesmileys.org/smileys/smiley-flag010.gif\"\u003e\n\n\n\n--==[[ Greetz To ]]==--\n\n\tGuru ji zero, Code breaker ICA, root_devil, google_warrior, INX_r0ot, Darkwolf indishell, Baba,\n\tSilent poison India, Magnum sniper, ethicalnoob Indishell, Reborn India, L0rd Crus4d3r, cool toad,\n\tHackuin, Alicks, mike waals, cyber gladiator, Cyber Ace, Golden boy INDIA, d3, rafay baloch, nag256\n\tKetan Singh, AR AR, saad abbasi, Minhal Mehdi, Raj bhai ji, Hacking queen, lovetherisk, D2, Bikash Dash and rest of the Team INDISHELL\n\n--==[[Love to]]==--\n\n\tMy Father, my Ex Teacher, cold fire hacker, Mannu, ViKi, Ashu bhai ji, Soldier Of God, Bhuppi, Gujjar PCP\n\tMohit, Ffe, Shardhanand, Budhaoo, bohops, Hacker fantastic, Jennifer Arcuri, Thecolonial, S3cur3Th1sSh1t, Ben R \n\tAnurag Bhai ji, Vivek bhai ji and Don(Deepika kaushik)\n\n","funding_links":[],"categories":["OWASP Top 10"],"sub_categories":["CORS Misconfiguration"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fincredibleindishell%2FCORS_vulnerable_Lab-Without_Database","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fincredibleindishell%2FCORS_vulnerable_Lab-Without_Database","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fincredibleindishell%2FCORS_vulnerable_Lab-Without_Database/lists"}