This bug was founded in a private program. So, this post would not disclose any information about the target. In order to not giving out anything about the target, all endpoints, parameters, token names mentioned in this post are made up. This post would name the target as redacted.com.
The bug allows attacker to take advantage of CORS misconfig to steal a token from victim. So, attacker can use that token to utilize unauthorized service of the target on behalf of victim.
Background
I have been working on this target for almost a week. I have tested most of the request and response but nothing much seem interesting to me. So, I have re-checked all request and response in Burpsuite, and I realized one of the request as below is vulnerable to CORS:
GET /token HTTP/1.1
Host: subdomain.redacted.com
Origin: www.redacted.com
Connection: close
Accept: */*
Cookies: some-Cookies=xxxxxxxxxxxx;And response is like below:
{"some_token":"xxxxxxxxxxxxxxxxxxxxxx"}This endpoint gives 200 response even I change the Origin header to www.evil.com. So, attacker would able to steal victim’s token. However, if I just report this as a bug, it is most likely to be closed as NA. So, I need to figure out what this token is and how this can be used to create real impact to the target.
