Cross-origin resource sharing (CORS)

Cross-origin resource sharing (CORS) is a browser mechanism which enables controlled access to resources located outside of a given domain. It extends and adds flexibility to the same-origin policy (SOP). However, it also provides potential for cross-domain attacks, if a website's CORS policy is poorly configured and implemented. CORS is not a protection against cross-origin attacks such as cross-site request forgery (CSRF).

Same-origin policy

The same-origin policy is a restrictive cross-origin specification that limits the ability for a website to interact with resources outside of the source domain. The same-origin policy was defined many years ago in response to potentially malicious cross-domain interactions, such as one website stealing private data from another. It generally allows a domain to issue requests to other domains, but not to access the responses.

Vulnerabilities

Many modern websites use CORS to allow access from subdomains and trusted third parties. Their implementation of CORS may contain mistakes or be overly lenient to ensure that everything works, and this can result in exploitable vulnerabilities.

Content Security Policy (CSP)

The goal of CSP is to protect against Cross-Site Scripting (XSS) attacks by dictating which scripts should be trusted and which shouldn't. When a browser tries to run a script from an unknown source, CSP will block it unless it is on the list of trusted sources. If no CSP is provided, then a site will default to using the "Same-Origin Policy" (SOP).

Sample HTB Box

https://0xdf.gitlab.io/2021/03/20/htb-crossfit.html

Active Scanning

Consists of

Gathering Host Information

Gather Identity Information

Gather Network Information

Gather Org Information

Open Technical Infomation

References

What is OSINT?

Tools

Shodan

Huntr

HackerOne

Maltego

Recon-ng Framework

Ahmia.fi

Wayback Machine

theHarvester

TinEye

OSINT Framework

FFUF Tool

Lepus Tool

tomnomnom tools in Rengine

theFuzz (formerly known as fuzzywuzzy)

Lepus

CNAME Records

NMAP

MASSCAN: Mass IP port scanner

Naabu (in Rengine)

Rengine

Cross-origin resource sharing (CORS)

Password Reset Vulnerability

SNMP and HOST Header Injection

Clickjacking via IFRAME

Access Controls and Parameter Tampering

Burp Proxy Histroy for endpoint discovery

Arjun for hidden end point discovery

CSRF Discovery/Detection

SSRF Parameter Detection/Discovery

XSS and SSTI Discovery/Detection

Rate Limits

Directory Brute-Force

HTTP Request Smuggling

Open Redirect via WaybackURLs

Social-SignOn Bypass

Possible DOS vial multiple Cookies injection

File Upload via CSRF, XSS, SSRF, RCE, LFI, XXE

Buffer Overflow

AMASS (in Rengine?)

Nuclei (in Regine)

GoSpider

gau (get all urls)

Nikto

Cross-origin resource sharing (CORS)