In this article we are telling you about cross origin resource sharing vulnerability like what is cross origin resource sharing vulnerability and how it is found in a website.
Here we are also telling you by doing cross origin resource sharing vulnerability practical like we have told you earlier by solving labs of insecure deserialization vulnerability and access control vulnerabilities.
We are telling you all this for educational purpose, you should never misuse any kind of hacking attack that you have told us, if you want to do all this for bug hunting, in such a way you can do it with bugcrowd and hackerone website.
Note- This article is only for educational purpose. Don’t miss use your knowledge and skills.
What is Cross Origin Resource Sharing ?
Before finding the cross origin resource sharing bug, you should know what is CORS, let us tell you in detail about cross origin resource sharing. it also provides potential for cross domain based attacks.
If we try to understand cross origin resource sharing in easy language, in this case we can say that if there is a bug in a website, in such a way sensitive data from one domain to another domain can be accessed.
Like suppose we have a website which has vulnerability of cross origin resource sharing, in such a way hackers can see the information of admin by forwarding the request to another domain as an origin.
Like you have been told by solving lab of cross origin resource sharing in this article, when you use it, then you yourself understand how this vulnerability works.
This bug occurs in a website when the CORS policy through web developer is not used properly, here you get more labs, but if you are new, it might be a bit hard to solve those labs.
Cross Origin Resource Sharing lab ?
Let us now tell you practically by doing this how the cross origin resource sharing bug is found in a website, here we are telling you all this by lab solving.
Here first you have to run the burp suite and after that keep the intercept off, all this we have told you in almost all the articles, after doing all this you can access the lab.
After accessing lab you have to login login information you get in lab itself, after login here, we have to access the api key of administrator account by using wiener account.
After login, you have to go to my account option, there you can see that you are getting api key show, here you can note api key, this is the api key of wiener account.
After doing all this, you get a url address in the burp suite by the name details in http history, as you can see in the image, this is how you get it in real website.
Here you have to go to the response as you can see in the image, here you get the option of request and response, here the response is what you are getting from the server.
After doing all this, you have to send this request to the repeater as you have been told in earlier articles, how to send the request to the repeater, you have to give the origin as you can see in the image.
Here we have told you to understand normally here, you can also use some other kind of website, after doing all this, you have to send the request.
After doing all this, you have to go to the exploit server, you have to give your lab id in the body in some way, this code is found in the lab as well as the solution.
Here you are getting a mistake in the image. What is the person of Intermediate level must have understood. We have given an extra slash here by mistake, here your lab id should be something like this.
After doing all this, you have to store first, after that you have to deliver exploit to victim as you can see in the image, you have to do something similar.
After doing all this, when you exploit the view, in this way you will be able to see the log key administrator, here we have to remove the api key by using this key.
Here, you can copy this key and find the api key by using the decoder as you can see in the image, in this way you can find the api key by decode the log key as decode as url.
Here you can notice that the wiener account of api is different and the administrator account is different. Here lab solve becomes when submitting the api key of administrator account on submit solution
As you can see in the image, like we get a message of congratulations on solving all labs, similarly you have also got to solve labs of Cross Origin Resource Sharing.
I hope that now you can understand about Cross Origin Resource Sharing Vulnerability, here we have told you by solving one of its labs, you can try other labs.
Here we want to make you clear one thing, we have told you here and all the vulnerability about it earlier, you must try it on some kind of live website too.
By doing this, you will understand how all these bugs effect in some kind of real website, as well as you have to visit any website properly before bug bounty.
If you have any kind of question to solve the labs of Cross Origin Resource Sharing Vulnerability or any such kind of question, then you can ask in a comment, your full help will be from our side.
I hope you will like our article of Cross Origin Resource Sharing Vulnerability. We have told you about many types of bugs here. You can also read them.
Subscribe to our blog for latest updates
Sharing is Caring