正文
- 尝试注入Origin Header,例如:
Origin: http://me.com,如果Response中包含Access-Control -Allow-Origin: http://me.com和Access-Control- allow - credentials: True,则有CORS
GET /getInfo HTTP/1.1 Host: www.company.com User-Agent: Mozilla/5.0 Referer: https://previous.com/path Origin: http://me.com
- 尝试注入Origin Header,例如:
http://company.com.me.com,http://Acompany.com,http://companyAcom,http://company.comA和null获得CORS
GET /getInfo HTTP/1.1 Host: www.company.com User-Agent: Mozilla/5.0 Referer: https://previous.com/path Origin: http://company.com.me.com
3.尝试注入带有特殊字符的Origin Header,例如
& ' ";!$ ^ * ( ) + = ` ~ - _ = | { } % 还有: %01-08 , %0b , %0c , %0e , %0f , %10-%1f 以及 %7f
GET /getInfo HTTP/1.1 Host: www.company.com User-Agent: Mozilla/5.0 Referer: https://previous.com/path Origin: http://me.com`.company.com
4.尝试注入Origin Header,例如:http://me.com,如果响应包含Access-Control-Allow-Origin: *和Cache-Control:no-cache尝试使用如下POC:
<html> <script> var url = "https://www.company.com/getInfo"; fetch(url, { method: 'GET', cache: 'force-cache' }); </script> </html>
5.尝试使用Web缓存欺骗攻击,添加静态文件,例如nonexist .css或logo.png到接口去缓存敏感响应
GET /getInfo/nonexistent.css HTTP/1.1 Host: www.company.com User-Agent: Mozilla/5.0 Referer: https://previous.com/path Origin: https://www.company.com
6.尝试添加jsonp 或者回调,例如 http://company.com/getInfo?jsonp=function ,保证可以读取响应
7.尝试在响应头中找出:在HTTP/1.1 Response中是否有 Cache-Control: no-cache或者Pragma: no-cache
HTTP/1.1 200 OK Content-Length: Number Cache-Control: no-cache , no-store , must-revalidate Content-Type: application/json { "phone" : "01*********", "token" : "*************" }
- 响应中是否存在
X-Frame-Option Header(不得不承认google在给赏金方面很大方)
HTTP/1.1 200 OK Content-Length: Number X-Frame-Option: SAMEORIGIN Content-Type: application/json { "phone" : "01*********", "token" : "*************" }
9.尝试找出,有是否有 postMessage 的API,比如window.postMessage(“text”,“*”);或addEventListener(“message” function(message){message.origin});
复现步骤(这种漏洞往往赏金很高,fb给出的赏金往往好几万美金一个,读者可以根据我后面提供的最后参考可以深入研究):
- 跳转至
http://company.com/getInfo - 右击,查看 View Page Source
- 搜索
postMessage With * addEventListener With Argument-Function.origin
参考
https://hackerone.com/reports/629892
https://hackerone.com/reports/688567
https://medium.com/@saamux/full-account-takeover-through-cors-with-connection-sockets-179133384815 (IDOR+CORS)
https://www.youtube.com/watch?v=wgkj4ZgxI4c
https://hackerone.com/reports/761726
https://hackerone.com/reports/260697
https://hackerone.com/reports/397508
https://hackerone.com/reports/118631
https://wiki.owasp.org/index.php/Testing_for_Browser_cache_weakness_(OTG-AUTHN-006)#How_to_Test
https://medium.com/@osamaavvan/1800-worth-clickjacking-1f92e79d0414
https://medium.com/@raushanraj_65039/google-clickjacking-6a04132b918a
