Well today is Saturday and bear with me as i am usually lazy on doing write ups. So i will do my best to share what i can. Redacting corporation name as i was not allowed to disclose this findings associating with them.
The CORS vulnerability that i found last weekend was in one of the host that I've been on for bug bounty program. This multinational corporation is one of the top in the world.
CORS (Cross Origin Resource Sharing) vulnerability happens when a web application is allowing cross-domain request without proper validation or without properly defining allowed only domains and hosts to share resources with. If sensitive information or data is present, it can lead to stealing those information by writing a malicious code to exploit the vulnerability.
As shown below, two important headers are present in the response and I can change the value of "Origin" header to my own url domain and to any that i want.
ACAO or Access-Control-Allow-Origin:
ACAC or Access-Control-Allow-Credentials: true
I have successfully changed the Origin value to my vps server ip address. And by using a PoC / Exploit as shown below, which is hosted on my vps server. I was able to retrieve the information, since this vulnerable host has been misconfigured to allow any hosts/domain to fetch it.
Shown as well the details from browser inspect element.
Just imagine sending a malicious link to authenticated victim on this host, can steal their sensitive information. I have reported this findings to them and they immediately fixed it.
And about the bug bounty reward? That's a $ECRET :)
That's all for now!
