Closed data-sync-user closed 7 months ago
➤ Scott Fraser commented:
Conversation in HackerOne ticket ( https://hackerone.com/reports/2397360 ) to date:
{quote}Scott Fraser commented in H1:{quote}
Hi p3db (hackerone reporter), can you provide a link which would trigger this CORS issue? If a victim needs to intercept their own request to add a header, we consider that a session fixation issue.
{quote}p3db replied:{quote}
Variant analysis:
Check this vulnerability on other variants of *.nonprod.cloudops.mozgcp.net
scott-f, I consider it a more severe issue because if the header Access-Control-Allow-Origin: * can be inserted in the responses, then, if an attacker has an XSS, he is able to chain it, thus bypassing CORS.
When such header is in the responses, the attacker can use XHR to set a new request header, in this case, Origin: null and open the website in a new window, with the XSS payload and the malicious header.
In short, if there is an XSS to combine with this vulnerability, then it would be like:
{quote}Scott Fraser replied:{quote}
Hi @p3db, I checked our documentation here ( https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin ) and it says Attempting to use the wildcard with credentials results in an error.. This bug only returns when the user does not provide a cookie. When a user provides a cookie, Access-Control-Allow-Origin returns null, not .
!Access-Control-Allow-Origin_authenticated.png|width=1020,height=329!
!Access-Control-Allow-Origin_no_auth.png|width=1042,height=323!
The documentation also says Note: null should not be used [...].
I agree that with an XSS bug (no known XSS to trigger this Access-Control-Allow-Origin issue is known at time of writing), this issue might be used for malicious activities. I'm going to request additional information from the team that manages this service and see what they say. Thank you for being patient with us while we sort this one out. As updates are made available, they will be posted here (here in context is HackerOne).
➤ Scott Fraser commented:
The problem is a misconfiguration of the Access-Control-Allow-Origin response header when the client request contains the header Origin: null. MDN docs ( https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin ) says that Access-Control-Allow-Origin is only supposed to reply with * for unauthenticated users, and Null should not be used at all as it’s function may change in the future. An as yet unknown XSS vulnerability may be able to leverage this Access-Control-Allow-Origin: null into a issue at a future time.
➤ HackerOne JiraIntegration commented:
p3db posted a comment on HackerOne: Sure @scott-f, will be looking forward to it. Just a note, in short we can say that it affects unauthenticated users but remember that a user that has a valid login may end up on an infected page that he will use to actually submit the login.
➤ Scott Fraser commented:
Hi Nan Jiang, can you take a look at this HackerOne report and help determine the impact or if it needs to be fixed? It seems like Access-Control-Allow-Origin header may be improperly set if a user provides the header Origin: null.
➤ Nan Jiang commented:
Hi Scott Fraser, thanks for the flag! We will take a look into this.
➤ Nan Jiang commented:
After reviewing the CORS settings ( https://github.com/mozilla-services/merino-py/blob/main/merino/main.py#L62-L67 ) in Merino, we believe that the settings are configured as expected. Here is more context:
To my understanding, the above handling should defend most of the XSS attacks. Though I am also open to hearing other thoughts if i missed anything.
cc: Scott Fraser Frida Kiriakos
➤ Scott Fraser commented:
Thank you for reviewing this issue. That all looks good to me and I will close out the HackerOne report as informative.
➤ HackerOne JiraIntegration commented:
scott-f closed the report on HackerOne as informative:
Hi @p3db, I chatted with the developers and reviewed source code that generates this header for Merino here. After review, and considering the context of this application's use case, header Access-Control-Allow-Origin
is set correctly.
Thank you for researching this potential issue and bringing it to our attention for review.
HackerOne Report: https://hackerone.com/reports/2397360 Report Date: February 29, 2024, 10:43pm UTC Reporter: p3db Weakness: Improper Neutralization of HTTP Headers
Initial Report:
Summary:
An attacker can inject the header
Access-Control-Allow-Origin: *
to the responses by addingOrigin: null
in the HTTP request.Steps to Reproduce
Request (normal request)
Response (normal)
Proof of Concept
Adding
Origin: null
in HTTP requestResponse with
Access-Control-Allow-Origin: *
injected.Impact
The exploitation of this vulnerability is crucial to chain with other vulnerabilities/attacks, highlighting the bypass of the CORS configurations.
┆Issue is synchronized with this Jira Bug ┆Attachments: Access-Control-Allow-Origin_authenticated.png | Access-Control-Allow-Origin_no_auth.png