After reading Geekboy's blog post: http://www.geekboy.ninja/blog/exploiting-misconfigured-cors-via-wildcard-subdomains/, it reminded me of similar(cause of the) issue which I found at Dropbox.
The bug which I found was a open-redirect at https://paper.dropbox.com/ep/account/sign-in?cont=https://12dropbox.com .
Note that:
The bug which I found was a open-redirect at https://paper.dropbox.com/ep/account/sign-in?cont=https://12dropbox.com .
Note that:
- Changing "cont" with any xyz.com domain didn't worked.
- Changing "cont" with any xyz.dropbox.com domain didn't worked.
I then checked with xyzdropbox.com, and it worked.
So what could be root cause of this bug?
The only possible cause I can think of is misconfigured Regex.
For the sake of better understanding lets consider a simple vulnerable regex:
- This /dropbox\.com$/ regex will always return true for all #{anything}dropbox.com domains.
- In Geekboy's case, the regex could be similar to this one: /^www\.site\.com/, so this can be bypassed with www.site.com.#{anything}.
The above two cases can be fixed by just adding ^ and $ in regex:
- /^dropbox\.com$/
- /^www\.site\.com$/
Conclusion:
While looking for bypasses, always check:
- evil.victim.com
- evilvaliddomain.victim.com
- validdomain.evilvictim.com
- validdomain.victim.comevil