Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Python: CORS Bypass #833

Closed
2 tasks
porcupineyhairs opened this issue Jun 23, 2024 · 9 comments
Closed
2 tasks

Python: CORS Bypass #833

porcupineyhairs opened this issue Jun 23, 2024 · 9 comments
Assignees
@pwntester
Labels
All For One Submissions to the All for One, One for All bounty

Comments

@porcupineyhairs
Copy link

Query PR

github/codeql#16814

Language

Python

CVE(s) ID list

GHSA-824x-jcxf-hpfg
CVE-2022-3457

CWE

CWE-346

Report

This PR adds a query to detect a Cross Origin Resource Sharing(CORS) policy bypass due to an incorrect check.

This PR attempts to detect the vulnerability pattern found in CVE-2022-3457

if request.method in ['POST', 'PUT', 'PATCH', 'DELETE']:
    origin = request.headers.get('Origin', None)
    if origin and not origin.startswith(request.base):
        raise cherrypy.HTTPError(403, 'Unexpected Origin header')

In this case, a value obtained from a header is compared using startswith call. This comparision is easily bypassed resulting in a CORS bypass. Given that similar bugs have been found in other languages as well, I think this PR would be a great addition to the exisitng python query pack.

The databases for CVE-2022-3457 can be downloaded from

https://filetransfer.io/data-package/i4Mfepls#link
https://file.io/V67T4SSgmExF

Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).

  • Yes
  • No

Blog post link

No response
@porcupineyhairs porcupineyhairs added the All For One Submissions to the All for One, One for All bounty label Jun 23, 2024
@pwntester pwntester self-assigned this Jun 26, 2024
@ghsecuritylab
Copy link
Collaborator

Your submission is now in status Results analysis.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

@ghsecuritylab
Copy link
Collaborator

Your submission is now in status Query review.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

@ghsecuritylab
Copy link
Collaborator

Your submission is now in status Final decision.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

@xcorail
Copy link
Contributor

xcorail commented Jul 8, 2024

Created Hackerone report 2590110 for bounty 594470 : [833] Python: CORS Bypass

@xcorail xcorail closed this as completed Jul 8, 2024
@ghsecuritylab
Copy link
Collaborator

Your submission is now in status Closed.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

@porcupineyhairs
Copy link
Author

@xcorail Thanks for the quick bounty.

@porcupineyhairs
Copy link
Author

@xcorail This bounty application was closed before the PR was reviewed. I have added a qhelp and the tests now. With this, I would request that the H1 bounty severity be bumped to medium.

@xcorail
Copy link
Contributor

xcorail commented Sep 5, 2024

Hello @porcupineyhairs
I will have a look

@xcorail
Copy link
Contributor

xcorail commented Sep 11, 2024

Hello @porcupineyhairs

I re-scored the submission with the addition of the doc and tests, and it changed the overall score, but not significantly enough to pass the next level bar. Keep in mind that the documentation quality criteria is only one of the various factors that we score for a submission.

Best

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pwntester pwntester

Labels
All For One Submissions to the All for One, One for All bounty
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@pwntester @xcorail @ghsecuritylab @porcupineyhairs