Lab: CORS vulnerability with internal network pivot attack — walkthrough

Hey guys, in this short tutorial, I will explain my way how to solve the expert CORS lab

Actually, it takes a little bit of time to make things up, so, let’s start!

According to the lab description, we need to scan the whole internal network until I find the correct private IP which will attack it.

so, after launching BurpSuite Collaborator, we send this payload to scan the whole network from the client-side.

Scanning the whole internal network & ping your collaborator with the response.

After delivering the payload to the victim, you will receive an HTTP request from the victim, you will get the IP & page content of the internal page.

You will notice that the page content (after decoding it) matches your web page, so now, we need to find an XSS vulnerability in the website itself to get the ability to make some CORS vectors.

After some searching, you will find that the login form with POST method request, if you used it as a GET request, the value of the parameter will be reflected within the input fields.

Reflected username parameter

So, let’s try some XSS vectors, Oh!, the most simple payload works!

XSS attack against the login page

So, now we could play a little bit with the client side, in this phase we need to try to read the admin page from the client-side, it should be accessible.

XSS Vector to read admin page

What we made here, actually, load the admin panel page within our IFrame, and once the page has been loaded it will trigger a request to our side with the page content.

After decoding the response, the most interesting part of the response is:

Detecting the end-point to delete Carlos & solve the LAB!

Now everything is easy, one left step to solving this lab, we need to make a POST request with username=carlos to delete the user.

XSS Vector to delete Carlos

Yes! that’s it.