Lütfü Mert Ceylan

Lütfü Mert Ceylan

Security Researcher
Bachelor CSe Student in WUT | OWASP Project Leader | founder @trbughunters
[email protected]

EN \| Account Takeover and Sensitive Data Leakage via CORS Misconfiguration

July 04, 2020


In June of this year, I found a CORS Misconfiguration vulnerability in a datacenter company. The system was very simple, a PUT command sent to the API Server both changed the account email and showed all the data of the account in JSON format as Response. Then, I reported this weakness and the company rewarded me with a $$$ bounty. Also, I would like to thank Bugra Eskici , who helped me a lot to detect this vulnerability.

Recon

I was reviewing the responses by sending requests to the system. When I looked at request header, I saw that the “Origin” attribute was defined. The vulnerable site was defined in the “Origin” attribute as a value, and this value was also defined in the “Access-Control-Allow-Origin” attribute in the Response. Also, the “Access-Control-Allow-Credentials” value was “true”.

Is it vulnerable?

I write evil.com as the value to Origin. And Bingo! The response status was “200 OK” and evil.com was also included in the Access-Control-Allow-Origin attribute.


That is, there was a CORS Misconfiguration vulnerability.

Double Shot!!

I can change the account email with a simple PUT request. Moreover, the server was showing the sensitive data of the account as Response. Then, I have created a simple script for both changing email and stealing sensitive data.

You can find the script I created in my tweet:


With the script, I changed the e-mail address by sending a PUT request. (Account Takeover)

Then, I sent the Response containing sensitive data to a request-bin service with this script.

And, sensitive data sent the attacker’s site.

So I was able to both change the e-mail address of the victim account and steal sensitive data. Both vulnerabilities were caused by CORS Misconfiguration. As I have explained, it is possible to exploit these vulnerabilities with a simple script.

The end :

10 June 2020 - Report sent
10 June 2020 - Confirmed
11 June 2020 - I was awarded a $$$ bounty

You May Also Enjoy

EN | Race Condition to Users Limit Bypass in Add User Function

In September of last year, I found a Race Condition vulnerability at an Online Services company located in the Netherlands. They had a private Zerocopter program and that’s why I was doing bug hunting based on web applications, on their systems. And I reported the…

EN | Clickjacking to Account Takeover via Drag&Drop

In August of this year, I found a Clickjacking vulnerability in a dutch company. Later I realized that this vulnerability could be upgraded to Account Takeover. Then, I coded a PoC template with CSS and reported the vulnerability. And they fixed…