few days before noticed a blog post for exploiting Facebook chat and reading all the chats of users so that made me to interested to know about the issues, and basically it was misconfigured CORS configuration where null origin is allowed with credentials true, it was not something heard for the 1st time, @albinowax from the portswigger explained it very well in his blog post, so after reading that messenger blog post I went to test for the same issue for some targets where I allowed to test it.
but before that here are some tips about CORS where it can be exploitable from the attacker’s point of view:
POORLY IMPLEMENTED, BEST CASE FOR ATTACK:
POORLY IMPLEMENTED, EXPLOITABLE:
BAD IMPLEMENTATION BUT NOT EXPLOITABLE:
even this is not good from the development point of view but due to its own rules of CORS if Access-Control-Allow-Origin set to * we don’t get benefit Access-Control-Allow-Credentials: true means no cookie access of the victim.
When you can’t exploit even if above misconfigurations are present:
- Presence of any custom header in the request which is getting used to authenticate the user.
- Presence of any unique/authentication/key in the request URI