๐˜๐˜ฆ๐˜ญ๐˜ญ๐˜ฐ, ๐˜'๐˜ฎ ๐‡๐จ๐ฌ๐ฌ๐š๐ฆ ๐Œ๐จ๐ฌ๐ญ๐š๐Ÿ๐š, known in the Bug Hunting community as ๐‘ฝ๐’Š๐’‘๐’†๐’“. I work as a Penetration Tester specialized in web, mobile, and network applications.In this report, I present a CORS Misconfiguration vulnerability I discovered.

The Discovery:

I was working on something completely different, and thought: "Why not try adding an Origin like example.com and see what the server doesโ€ฆ"

At first, the server responded normally without exposing any sensitive data, so I thought it was just default behavior and didn't pay much attention.

The next day, while testing a different endpoint, I added example.com again in the Origin headerโ€ฆ Suddenly, the server responded with:

None

Access-Control-Allow-Origin: example.com and also Access-Control-Allow-Credentials: true! ๐Ÿคฏ

None

Even worse, it returned cookies and a GraphQL response proving the request actually reached the backend.

That's when I realized it was a real *CORS Misconfiguration* that could be exploited from an external site to automatically grab victim data.

Of course, I reported it right away โ€” but as usual, I was two days late and it turned out to be a *Duplicate* ๐Ÿ˜‚

None

I kinda saw it coming, since I hadn't prioritized it at first while I was focused on something else. But that's how it goes sometimes.

Key indicators:

  • Access-Control-Allow-Origin echoing a supplied origin.
  • Access-Control-Allow-Credentials: true.
  • Cookies present in responses and a backend GraphQ payload visible.

Impact:

  • An attacker hosting a malicious page could cause visitors who are logged into the target site to unknowingly leak privileged data or perform actions, depending on the API endpoints accessible via the misconfigured CORS policy.

"This report has been successfully accepted by Yeswehack."

None

And that's it, folks! I hope this write-up offers you valuable insights. Thank you for taking the time to read. If you have any thoughts or questions, please feel free to share them in the comments section. Thank you again, and happy bug hunting!

๐Œ๐ฒ ๐‹๐ข๐ง๐ค๐ž๐๐ข๐ง:http://www.linkedin.com/in/hossam-mostafa-527842325