| I'm less interested in how vulnerable Bluehost and Dreamhost are (of course they are), and more interested in how good a writeup this is about finding variants of and then weaponizing a handful of vulnerabilities most pros would write off as sev:lo hygiene bugs. The form POST as JSON is particularly cute. This is pretty great. Here's a quick breakdown: 1. Autogenerating CORS headers based on a regexp that can be tricked into allowing <safe.org>.evil.org. 2. A form POST encoded text/plain that gets interpreted as JSON to bypass CSRF check. 3. Using CORS origin check gaps to do an HTTP downgrade. 4. XSS-ATO by email address changes (this is pretty vanilla). 5. Sending “token[]=” to break PHP CSRF token check through type confusion. 6. Breaking a different CORS generator by smuggling the whitelisted domain into a ?urlparam=safe.org. 7. Setting content-type=text/plain; application/json to fake out browser check for JSON and bypassing CSRF at OVH. 8. Some fiddly and not super interesting CSP bypasses. |
It's usually a lot easier to write the PoC with fetch() though.