Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/incredibleindishell/CORS_vulnerable_Lab-Without_Database


https://github.com/incredibleindishell/CORS_vulnerable_Lab-Without_Database

Last synced: 6 days ago
JSON representation

Awesome Lists containing this project

README 

        

# CORS misconfiguration vulnerable Lab

This Repository contains CORS misconfiguration related vulnerable codes. One can configure the Vulnerable code on local machine to perform practical exploitation of CORS related misconfiguration issues.



I would like to say Thank You to @albinowax (For his work in CORS exploitation), AKReddy and Vivek Sir (For being great personalities who always supported me) and Andrew Sir - @vanderaj (for his encouraging words)



![](https://raw.githubusercontent.com/incredibleindishell/CORS_vulnerable_Lab-Without_Database/main/images/lab_login.png)



# Run docker image 

```

git clone https://github.com/incredibleindishell/CORS_vulnerable_Lab-Without_Database.git

cd CORS_vulnerable_Lab-Without_Database

docker build . -t 

docker run -d -p 8000:80 

```

> Access it as http://localhost:8000 

# Setup the lab on Machine locally 

Following are the pre-requities to configure the vulnerable code on local/remote machine



  1. Apache web server

  2. PHP 5/7

  



Steps to Configure:



1. Download and extract the codes in "htdocs" or webroot  directory of the web server.

2. Access the "CORS Vulnerable Lab" application.

3. Login credentials are already specified in input fields, just click "Let Me In" button and you are ready to play with the lab. 



# Challenges available in this lab

There are 3 misconfiguration which are simulated in this Lab. 



![](https://raw.githubusercontent.com/incredibleindishell/CORS-vulnerable-Lab/master/images/lab.png)



Application Trust Arbitrary Origin



Application accept CORS request from any Origin. The code put the "Origin" value in HTTP response header "Access-Control-Allow-Origin". Now, this configuration will allow any script from any "Origin" to make CORS request to application. Web browser will perform standard CORS request checks and Script from malicious domain will be able to steal the data. 



Application has bad "regex" Implementation to check Trusted Origin



Application has CORS policy implemented and perform "Regex" check for whitelisted Domain/Sub-domains. In this scenario, application has weak regex implementation in code which just check for presence of domain name "b0x.com" anywhere in HTTP request "Origin" header. If HTTP header "Origin" has value "inb0x.com" or b0x.comlab.com, regex will mark it pass. This misconfiguration will lead to sharing of data over cross origin. 



Application Trust "null" Origin



In this scenario, application HTTP response header "Access-Control-Allow-Origin" is always set to "null". When user specify any value other than null, application does not process it and keep reflecting "null" in HTTP response. There are few tricks which allow an attacker to perform exploitation and can ex-filtrate data of victim using CORS request. 



Examples:



Application Trust Arbitrary Origin



Application accept any value specified in "Origin" header.

![](https://raw.githubusercontent.com/incredibleindishell/CORS-vulnerable-Lab/master/images/arbitrary_origin.png)



Exploitation Demo



![](https://github.com/incredibleindishell/CORS-vulnerable-Lab/blob/master/POCs/CORS_policy_arbitrary_origin_exploit.gif)



Application has bad "regex" Implementation to check Trusted Origin



Application is trusting whitelisted Origin.

![](https://raw.githubusercontent.com/incredibleindishell/CORS-vulnerable-Lab/master/images/bad_regex%201.png)



Application is not allowing any arbitrary Origin.

![](https://raw.githubusercontent.com/incredibleindishell/CORS-vulnerable-Lab/master/images/bad_regex%202.png)



Application weak regex allowing an Origin which has whitelisted domain string in starting of the domain name.

![](https://raw.githubusercontent.com/incredibleindishell/CORS-vulnerable-Lab/master/images/bad_regex%203.png)



Application weak regex allowing an Origin which has whitelisted domain string in the end of the domain name.

![](https://raw.githubusercontent.com/incredibleindishell/CORS-vulnerable-Lab/master/images/bad_regex%204.png)



Application Trust "null" Origin



Application accept "null" value specified in "Origin" header.

![](https://raw.githubusercontent.com/incredibleindishell/CORS-vulnerable-Lab/master/images/null_origin%202.png)



Application is not accepting any value other then "null" "Origin".

![](https://raw.githubusercontent.com/incredibleindishell/CORS-vulnerable-Lab/master/images/null_origin%202.png)



Exploitation Demo



![](https://github.com/incredibleindishell/CORS-vulnerable-Lab/blob/master/POCs/CORS_policy_null_origin_exploit_chrome.gif)



 Ex-filtrating data to attacker controlled server



![](https://github.com/incredibleindishell/CORS-vulnerable-Lab/blob/master/POCs/Data%20ex-filtration.gif)



Ofcourse, 


--==[[ With Love From IndiShell ]]==-- 



--==[[ Greetz To ]]==--



	Guru ji zero, Code breaker ICA, root_devil, google_warrior, INX_r0ot, Darkwolf indishell, Baba,

	Silent poison India, Magnum sniper, ethicalnoob Indishell, Reborn India, L0rd Crus4d3r, cool toad,

	Hackuin, Alicks, mike waals, cyber gladiator, Cyber Ace, Golden boy INDIA, d3, rafay baloch, nag256

	Ketan Singh, AR AR, saad abbasi, Minhal Mehdi, Raj bhai ji, Hacking queen, lovetherisk, D2, Bikash Dash and rest of the Team INDISHELL



--==[[Love to]]==--



	My Father, my Ex Teacher, cold fire hacker, Mannu, ViKi, Ashu bhai ji, Soldier Of God, Bhuppi, Gujjar PCP

	Mohit, Ffe, Shardhanand, Budhaoo, bohops, Hacker fantastic, Jennifer Arcuri, Thecolonial, S3cur3Th1sSh1t, Ben R 

	Anurag Bhai ji, Vivek bhai ji and Don(Deepika kaushik)