Comments (12)
I think what's happening in this case is that the CORS preflight check isn't returning a success code
from canarytokens.
Hi @i-am-shodan,
Thanks for reporting in. This is an interesting use case. Am i correct in assuming that you are trying to use
.ext-footer
{
background-image: url('<LINK>');
background-size: 0 0;
}
where you replace the <LINK>
with a web image bug?
from canarytokens.
Yep thats it. Looking a the browser it fails the CORS preflight check.
from canarytokens.
Worth saying I can also get this use case to work if I host the image on a service I control and correctly set a wildcard CORS policy.
from canarytokens.
Hi @i-am-shodan,
Would you minding trying this using a "custom web image bug"? I see we added support for CORS (here)
from canarytokens.
I've tried both
from canarytokens.
@i-am-shodan, can you check the response header contains the Access-Control-Allow-Origin: *
? In my test now, it is there. So when you browse to that login page, have the browser dev tools open on the Network tab; you should be able to inspect the request and response.
from canarytokens.
curl -vvv http://MYHOSTNAME/terms/traffic/npxix77cb0qfqf6aidlo6lj9p/img.png
> GET /terms/traffic/npxix77cb0qfqf6aidlo6lj9p/img.png HTTP/1.1
> Host: MYHOSTNAME
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx
< Date: Mon, 15 Jan 2024 14:05:56 GMT
< Content-Type: image/png
< Content-Length: 120
< Connection: keep-alive
< Access-Control-Allow-Origin: *
<
But I think the problem here (at least what the browser is reporting to me) is that it's failing the CORS preflight check (https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request). I have constructed one of these with:
curl -vvv -X OPTIONS -H "Access-Control-Request-Method: GET" -H "Access-Control-Request-Headers: origin, x-requested-with" -H "Origin: https://foo.bar.org" http://MYHOSTNAME /terms/traffic/npxix77cb0qfqf6aidlo6lj9p/img.png
I should be returning headers like:
Access-Control-Allow-Origin: https://foo.bar.org
Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE
Access-Control-Max-Age: 86400
But it isn't, this is what I get
* TCP_NODELAY set
* Connected to MYHOSTNAME (20.67.24.220) port 80 (#0)
> OPTIONS /terms/traffic/npxix77cb0qfqf6aidlo6lj9p/img.png HTTP/1.1
> Host: MYHOSTNAME
> User-Agent: curl/7.68.0
> Accept: */*
> Access-Control-Request-Method: DELETE
> Access-Control-Request-Headers: origin, x-requested-with
> Origin: https://foo.bar.org
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx
< Date: Mon, 15 Jan 2024 14:04:35 GMT
< Content-Length: 0
< Connection: keep-alive
< Access-Control-Allow-Origin: *
< Allow: OPTIONS, GET, POST
<
So my guess is that it's failing the preflight because Access-Control-Allow-Methods and Access-Control-Max-Age are not set.
from canarytokens.
Worth saying that with Chrome + Edges devtools the request never appears because preflight fails
from canarytokens.
Hi @i-am-shodan,
Thanks so much for all the detail. I've been reading up on this and it looks like you are correct. Ill be adding some preflight handling today.
from canarytokens.
Hi @i-am-shodan,
Please could you give it another shot using a custom web image token? I've added cors preflight support
from canarytokens.
Success! Thanks for implementing this.
FYI, another thing that is also needed for the scenario is for everything to be under TLS.
from canarytokens.
Related Issues (20)
- Simple Typo Fix on Template HOT 1
- Thwarting Malware HOT 2
- Support Wildcard CORS Headers HOT 9
- Credit Card token (beta) not working HOT 3
- EH HOT 1
- [BUG] "Sensitive command hostname" & "Sensitive command username" or "Sensitive Command Information" missing from alerts HOT 9
- Ability to trigger token based on user
- [BUG] Web bug token serves images with html header HOT 1
- mail HOT 3
- Phone hack HOT 1
- Discord Webhook Support HOT 4
- [BUG] "An error has occurred: Internal Server Error" message when trying to create a credit card token HOT 6
- [BUG] error webhook sent with wrong content-type HOT 1
- [BUG] Unable to add Azure Logic App Webhook URL HOT 4
- [BUG] Microsoft Teams Webhook not functioning HOT 1
- Support IP2Location.io API HOT 4
- [BUG] AWS Keys will not generate with webhook or email HOT 1
- Windows folder token not working HOT 7
- Exploit - CSV Injection HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from canarytokens.