Burp Scanner Report file:///home/kali/Desktop/ajaxQm

Burp Scanner Report

Summary
The table below shows the numbers of issues identified in different categories. Issues are classified according to severity as
High, Medium, Low or Information. This reflects the likely impact of each issue for a typical organization. Issues are also
classified according to confidence as Certain, Firm or Tentative. This reflects the inherent reliability of the technique that was
used to identify the issue.

Confidence

Certain Firm Tentative Total

High 0 0 0 0

Medium 0 0 0 0
Severity
Low 0 0 0 0

Information 1 0 0 1

The chart below shows the aggregated numbers of issues identified in each category. Solid colored bars represent issues with
a confidence level of Certain, and the bars fade as the confidence level falls.

Number of issues

0 1 2 3 4

High

Severity Medium

Low

Contents
1. Cross-origin resource sharing

1. Cross-origin resource sharing

1 of 3 11/1/23, 15:57
Burp Scanner Report file:///home/kali/Desktop/ajaxQm

Summary
Severity: Information

Confidence: Certain

Host: https://accountscenter.instagram.com

Path: /ajax/qm/

Issue detail
The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request.

Issue background
An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on other domains can
perform two-way interaction with the domain that publishes the policy. The policy is fine-grained and can apply access controls
per-request based on the URL and other features of the request.

If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in
to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially
retrieve content from the application, and sometimes carry out actions within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be
leveraged by an attacker to exploit the trust relationship and attack the application that allows access. CORS policies on pages
containing sensitive information should be reviewed to determine whether it is appropriate for the application to trust both the
intentions and security posture of any domains granted access.

Issue remediation
Any inappropriate domains should be removed from the CORS policy.

References
• Exploiting CORS Misconfigurations

Vulnerability classifications
• CWE-942: Overly Permissive Cross-domain Whitelist

Request
POST /ajax/qm/?__a=1&__user=0&__comet_req=24&jazoest=26511 HTTP/1.1
Host: accountscenter.instagram.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 187
Origin: https://accountscenter.instagram.com
DNT: 1
Connection: close
Referer: https://accountscenter.instagram.com/?__coig_login=1
Cookie: csrftoken=QRVlImZdnL57BrxFaYLobaSHk5GMRzfW; mid=ZUFDDwAEAAFtRtAMktZU1-Jf_i66;

2 of 3 11/1/23, 15:57
Burp Scanner Report file:///home/kali/Desktop/ajaxQm

ig_did=B9A8FE3D-D166-46DA-8EFE-05CB25E9F27D; ig_nrcb=1; datr=Y0lBZd5Pm5ma4rbZMeO5cWd-;

rur="CCO\05457503610842
\0541730394559:01f7f4da1545b38d0ac5def1302afefd45c9eeaedea371d83186ce9d00f087632923b3c7";
ds_user_id=57503610842; shbid="19002\05457503610842
\0541730385753:01f7fc69748b405e71343b85ae1cf8199be8cee98aa0e7d07bbd6a82291b81d5344a4feb";
shbts="1698849753\05457503610842
\0541730385753:01f71528ff7d1e6b0f46ad7d486df8d9b5823b47c37028a5f12c0524ff3a0f0ac0567283";
sessionid=57503610842%3A30VasReFtFYaYF%3A26%3AAYeMiuyp6d8qgddNC1USgqx2Dv1IesrjwnarM4f7hA
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin

event_id=7296541944856030337&marker_page_time=9779&script_path=%2F&weight=0&client_start=1&
fb_dtsg=NAcMifbeAbw6aQAnRteNhXVvpMIZ5m_iMuhf30tUWWheiVbb4P8aohw%3A17854231342124680%3A169885631
5

Response
HTTP/1.1 200 OK
Content-Type: application/x-javascript; charset=utf-8
reporting-endpoints: default="https://accountscenter.instagram.com/ajax/comet_error_reports/?device_level=unknown"
document-policy: force-load-at-top
permissions-policy: accelerometer=(), ambient-light-sensor=(), bluetooth=(), camera=(), geolocation=(), gyroscope=(),
hid=(), idle-detection=(), magnetometer=(), microphone=(), midi=(), payment=(), screen-wake-lock=(), serial=(), usb=()
cross-origin-resource-policy: cross-origin
cross-origin-opener-policy: same-origin-allow-popups
Pragma: no-cache
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
X-Content-Type-Options: nosniff
report-to: {"max_age":259200,"endpoints":[{"url":"https:\/\/accountscenter.instagram.com\/ajax\/comet_error_reports
\/?device_level=unknown"}]}
X-Frame-Options: DENY
Access-Control-Expose-Headers: X-FB-Debug, X-Loader-Length
Access-Control-Allow-Methods: OPTIONS
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://accountscenter.instagram.com
Vary: Origin
Vary: Accept-Encoding
Strict-Transport-Security: max-age=15552000
X-FB-Debug: 72uXf1L59BNAFjxfPMxbUXYXYLbxoGzK/K67
/BTdGass+enve1ghHSssbDtHX3gq5gL0KzchB7S4YvNJkAriLw==
Date: Wed, 01 Nov 2023 17:09:33 GMT
Connection: close

for (;;);{"__ar":1,"payload":null,"lid":"7296542013442629598"}

Report generated by Burp Suite web vulnerability scanner v1.7.34, at Wed Nov 01 15:02:10 EDT 2023.

3 of 3 11/1/23, 15:57