CORS Violation - TairinySimeonato/WebAuditing GitHub Wiki

What is CORS?

• CORS allows a website to access resources in other websites.
• CORS uses HTTP headers to tell browser to let a page have permission to access selected content from another domain.
• CORS is a mechanism that allows restricted resources on a website to be requested from another domain.
• CORS define a way which browser and server can interact to determine wether or not it is safe to allow the cross origin request.

Relevant HTTP headers

Request

• Origin
• Access-Control-Request-Method
• Access-Control-Request-Headers

Response

• Access-Control-Allow-Origin
• Access-Control-Allow-Credentials
• Access-Control-Expose-Headers
• Access-Control-Max-Ag
• Access-Control-Allow-Methods
• Access-Control-Allow-Header

What does a wildcard (*) CORS policy allows an attacker to do?

• If you validate the website has a wildcard for CORS, you can change the value of Origin in the request to an attacker controlled website.
• If backend server code has something like *example.com, it should enable cross origin between all the subdomains of example.com. However, if the attacker possesses an website called attackerexample.com, this would accepted as well.
• Using XSS

Wildcard CORS policy

A wildcard same-origin policy is appropriately used when a page or API response is considered completely public content and it is intended to be accessible to everyone.

How CORS works?

1. Browser sends a OPTIONS request with Origin HTTP header, which value is going to be the parent domain. For example, if www.test.com wants to access data in www.example.com, the Origin HTTP header sent to www.example.com would be : Origin: http://www.test.com

2. The server of the requested page (www.example.com) may respond with 3 distinct ways:

• 2.1) A response with an Access-Control-Allow-Origin (ACAO) header showing the origin websites allowed.
• 2.2) If the server does not allow the cross origin request, it can give an error page.
• 2.3) An ACAO header with a wildcard *, allowing every domain.

CORS

1. Components Vulnerable site Attacker controlled website Victim

2. Action

• Victim visits attacker controlled website
• The site has malicious HTML code that is triggered when the victim access it

  • For example, a hidden form transferring money from victim to attacker account

  • if the attacker is able to successfully send this request, it may be a CSRF

  • if the attacker is able to see the response, this is a violation of CORS

  • If the attacker is not able to see the response of that request, this is NOT a CORS violation

  • Wildcard CORS vs CSRF - TODO

Resources

• liveoverflow CSRF + same origin policy
• https://en.wikipedia.org/wiki/List_of_HTTP_header_fields
• https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
• https://en.wikipedia.org/wiki/Cross-origin_resource_sharing
• https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
• https://spring.io/understanding/CORS
• https://www.codecademy.com/articles/what-is-cors
• https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk119372
• https://en.wikipedia.org/wiki/Cross-origin_resource_sharing
• https://www.we45.com/blog/3-ways-to-exploit-misconfigured-cross-origin-resource-sharing-cors