incredibleindishell/CORS-vulnerable-Lab incredibleindishell/CORS-vulnerable-Lab

  • Stars
    star
    185
  • Rank 207,625 (Top 5 %)
  • Language
    PHP
  • Created over 5 years ago
  • Updated over 3 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
incredibleindishell/CORS-vulnerable-Lab
github

incredibleindishell

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Sample vulnerable code and its exploit code

CORS misconfiguration vulnerable Lab

This Repository contains CORS misconfiguration related vulnerable codes. One can configure the vulnerable code on local machine to perform practical exploitation of CORS related misconfiguration issues.

I would like to say Thank You to @albinowax (For his work in CORS exploitation), AKReddy and Vivek Sir (For being great personalities who always supported me) and Andrew Sir - @vanderaj (for his encouraging words)

Setup the lab on Machine

Following are the pre-requities to configure the vulnerable code on local/remote machine

  1. Apache web server
  2. PHP 5/7
  3. MySQL Database

Steps to Configure:

  1. Download and extract the codes in "htdocs" or webroot directory of the web server.

  2. Open PHPMyAdmin and create new database with name "ica_lab".

  3. If you want to use MySQL "root" user account, skip below mentioned step and jump to step no. 5.

  4. create a new user having name "billu" by executing below mentioned SQL command: (skip step no. 5)

      grant all on ica_lab.* to billu@localhost IDENTIFIED BY 'b0x_billu';

  5. Open "c0nnection.php" in text editor and make below mentioned changes in the PHP:

       change 
   $conn = mysqli_connect("127.0.0.1","billu","b0x_billu","ica_lab");
   to
   $conn = mysqli_connect("127.0.0.1","root","","ica_lab");

  6. In PHPMyAdmin, select "database" and then click database name "ica_lab".

  7. Click "Import" button and browse the locate the SQL dump file "ica_lab.sql" on your local machine. This file is present in directory "database" of the repository.

  8. After browsing the SQL database file, click "Go" button. Now. database is ready.

  9. Access the "CORS Vulnerable Lab" application.

  10. Login credentials are already specified in input fileds, just click "Let Me In" button and you are ready to play with the lab.

Challenges available in this lab

There are 3 misconfiguration which are simulated in this Lab.

Application Trust Arbitrary Origin

Application accept CORS request from any Origin. The code put the "Origin" value in HTTP response header "Access-Control-Allow-Origin". Now, this configuration will allow any script from any "Origin" to make CORS request to application. Web browser will perform standard CORS request checks and Script from malicious domain will be able to steal the data.

Application has bad "regex" Implementation to check Trusted Origin

Application has CORS policy implemented and perform "Regex" check for whitelisted Domain/Sub-domains. In this scenario, application has weak regex implementation in code which just check for presence of domain name "b0x.com" anywhere in HTTP request "Origin" header. If HTTP header "Origin" has value "inb0x.com" or b0x.comlab.com, regex will mark it pass. This misconfiguration will lead to sharing of data over cross origin.

Application Trust "null" Origin

In this scenario, application HTTP response header "Access-Control-Allow-Origin" is always set to "null". When user specify any value other than null, application does not process it and keep reflecting "null" in HTTP response. There are few tricks which allow an attacker to perform exploitation and can ex-filtrate data of victim using CORS request.

Examples:

Application Trust Arbitrary Origin

Application accept any value specified in "Origin" header.

Exploitation Demo

Application has bad "regex" Implementation to check Trusted Origin

Application is trusting whitelisted Origin.

Application is not allowing any arbitrary Origin.

Application weak regex allowing an Origin which has whitelisted domain string in starting of the domain name.

Application weak regex allowing an Origin which has whitelisted domain string in the end of the domain name.

Application Trust "null" Origin

Application accept "null" value specified in "Origin" header.

Application is not accepting any value other then "null" "Origin".

Exploitation Demo

Ex-filtrating data to attacker controlled server

Ofcourse,
--==[[ With Love From IndiShell ]]==--

--==[[ Greetz To ]]==--

Guru ji zero, Code breaker ICA, root_devil, google_warrior, INX_r0ot, Darkwolf indishell, Baba,
Silent poison India, Magnum sniper, ethicalnoob Indishell, Reborn India, L0rd Crus4d3r, cool toad,
Hackuin, Alicks, mike waals, cyber gladiator, Cyber Ace, Golden boy INDIA, d3, rafay baloch, nag256
Ketan Singh, AR AR, saad abbasi, Minhal Mehdi, Raj bhai ji, Hacking queen, lovetherisk, D2, Bikash Dash and rest of the Team INDISHELL

--==[[Love to]]==--

My Father, my Ex Teacher, cold fire hacker, Mannu, ViKi, Ashu bhai ji, Soldier Of God, Bhuppi, Gujjar PCP
Mohit, Ffe, Shardhanand, Budhaoo, Jagriti, Hacker fantastic, Jennifer Arcuri, Thecolonial and Don(Deepika kaushik)

More Repositories

1

SSRF_Vulnerable_Lab

This Lab contain the sample codes which are vulnerable to Server-Side Request Forgery attack
PHP
660
star
2

sqlite-lab

This code is vulnerable to SQL Injection and having SQLite database. For SQLite database, SQL Injection payloads are different so it is for fun. Just enjoy it \m/
PHP
157
star
3

Windows-AD-environment-related

This Repository contains the stuff related to windows Active directory environment exploitation
PowerShell
144
star
4

exploit-code-by-me

Exploit code developed/reproduced by me
Java
87
star
5

CORS_vulnerable_Lab-Without_Database

PHP
64
star
6

LDAP-credentials-collector-backdoor-generator

This script generate backdoor code which log username password of an user who have passed HTTP basic auth using LDAP credentials.
PHP
59
star
7

PHP-web-shells

when i started web application security testing, i fall in love with web shell development and designed some PHP based web shells. This repository contains all my codes which i released in public.
PHP
50
star
8

Local-file-disclosure-SQL-Injection-Lab

This is sample code to demonstrate how one can use SQL Injection vulnerability to download local file from server in specific condition. If you have any doubt, ping me at https://twitter.com/IndiShell1046 :)
PHP
42
star
9

axis_web_shell

This repo contains Axis web shells
18
star
10

good-read

Repository for study material including ebooks, URLs, web pages etc
15
star
11

Mannu-Shell

Mannu Shell is PHP web based shell. This code is meant for performing server side file manipulation and other stuffs. Its backdoor free and user friendly.
PHP
14
star
12

Magento-shoplift-python-exploit

Magento shoplift exploit is vulnerability which was discovered by CheckPoint team (http://blog.checkpoint.com/2015/04/20/analyzing-magento-vulnerability/) This python script developed by joren but it was having some bug because of which it was not working properly. If magento version is vulnerable, this script will create admin account with username forme and password forme
Python
13
star
13

ysoserial.net-complied

This repository contains complied exe of ysoserial.net ( ys.exe in directory ysoserial/bin/Debug). This work belongs to @pwntester bhai ji \m/
C#
10
star
14

hash-cracker-ICA

Just an experiment with hash cracking :) few password lists along with some good password cracking rule sets.
C
8
star
15

Red_Team_Op

Notes for the CRTO exam
C#
7
star
16

Random

This repo contains random stuffs
PHP
7
star
17

SQLI_b0x

PHP
7
star
18

weblogic-exploits

POC codes related to Oracle WebLogic server
Python
5
star
19

SQLI-Lab_b0x

This repository contains sample SQL Injection vulnerable code which are not straight forward.
PHP
5
star
20

XXE_Vulnerable_codes

Sample codes vulnerable to XXE
PHP
4
star
21

network-wala-jugaad

4
star
22

sh

b374k php web shell
PowerShell
2
star
23

Panda-sql-injector

API for SQLmap sql injection tool. This tool is developed by my friend incredible.
PHP
2
star
24

mannu-shell-jump-tester

These codes are for checking read permission on website document root directory for other user in shared server environment.
PHP
1
star
25

insert_SQLI

SQL Injection in Insert query. Application is not throwing SQL server error messages.
PHP
1
star
26

writeups

CTF writeups and the like
1
star
27

mysql-brute-forcer

MySQL brute forcer is a PHP based script which perform mysql user account bruteforcing locally. This code is developed by one of my friend and for Educational purpose only.
PHP
1
star