Chaining CORS by Reflected XSS to Account takeover #My first Blog
Hi, everyone
My name is Santosh Kumar Sha, I’m a security researcher from India(Assam). In this article, I will be describing how I was able to exploit a CORS misconfiguration by chaining it with Reflected xss to leak private information and ultimately taking over the account.
I am now offering 1:1 sessions to share my knowledge and expertise:
TIP For looking for CORS bug:
Here is my workflow how i look for CORS bug.
First:
Spider the the host by Burpsuite. I like to used old version for burpsuite for spider .After spider the host copy all url and saved it in text file.
cat corstexturl.txt | CorsMe
OR
cat corstexturl.txt | soru -u | anew | xargs -n 1 -I{} curl -sk -H “Origin: test.com” | grep “Access-control-allow-origin: test.com”
cat corstexturl.txt | soru -u | anew |while read host do ; do curl -s — path-as-is — insecure -H “Origin: test.com” “$host” | grep -qs “Access-control-allow-origin: test.com” && echo “$host \033[0;31m” cors Vulnerable;done
Case#1
Vulnerable Endpoint
About a week ago, I was hacking this public bug bounty program, . After playing with the Origin header in the HTTP request, then…
