Cross-Origin Resource Sharing (CORS)

??Cross-Origin Resource Sharing (CORS)?is a mechanism that enables web browsers to perform cross-domain requests using the XML Http Request API in a controlled manner.

??These cross-origin requests have an Origin header, that identifies the domain initiating the request.

??It defines the protocol to use between a web browser and a server to determine whether a cross-origin request is allowed.

What a CORS attack could look like?:-

??The victim visits evilwebsite.com while being authenticated to goodwebsite.com.

??evilwebsite.com dumps a malicious script designed to interact with goodwebsite.com on the victim’s machine.

??The victim unwittingly executes the malicious script and the script issues a cross-origin request to goodwebsite.com.

??In this example, let’s assume the request is crafted to obtain the credentials necessary to perform a privileged action such as revealing the user’s password.

??goodwebsite.com receives the victim’s cross-origin request and the CORS header.

??The web server will check the CORS header to determine whether or not to send the data to goodwebsite.com. In this example, we’re assuming that CORS is allowed with authentication (Access-Control-Allow-Credentials: true).

??The request is validated and then the data is sent from the victim’s browser to evilwebsite.com.

CORS Misconfigurations?:-

??When a protocol has been incorrectly configured it makes it possible for a domain controlled by a malicious party to send requests to your domain.

??The business implications of this can be anywhere from stealing data to compromising your entire application. Understanding the risks will enable to better remediate it before a catastrophe.

Key CORS headers:

There are a?number of HTTP headers related to CORS, but the following three response headers are the most important for security:

1)?Access-Control-Allow-Origin :

??It specifies which domains can access the domain’s?resources.

??For instance if?requester.com want to give access to ?provider.com?resources then the developers can use this header to securely grant?requester.com access to?provider.com?resources.

2)?Access-Control-Allow-Credentials?:

??It specifies whether or not the browser will send cookies with the request.

??Cookies will only be sent if the?allow-credentials?header is set to true.

3)?Access-Control-Allow-Methods :

??It specifies which HTTP request methods (GET, PUT, DELETE, etc.) can be used to access resources.

??This header lets developers further enhance security by specifying what methods are valid when requester.com requests?access to?provider.com?resources.

How to prevent CORS-based attacks?:-

CORS vulnerabilities arise primarily as misconfigurations. Prevention is therefore a configuration problem. The following

sections describe some effective defenses against CORS attacks.

1)?Proper configuration of cross-origin requests?:

??If a web resource contains sensitive information, the origin should be properly specified in the Access-Control-Allow- Origin?header.

2)?Only allow trusted sites?:

??It may seem obvious but origins specified in the?Access-Control-Allow-Origin?header should only be sites that are trusted.

??In particular, dynamically reflecting origins from cross-origin requests without validation is readily exploitable and should be avoided.

3)?Avoid whitelisting null?:

??Avoid using the header?Access-Control-Allow-Origin:null. Cross-origin resource calls from internal documents and sand boxed requests can specify the?null?origin.

??CORS headers should be properly defined in respect of trusted origins for private and public servers.

4)?Avoid wildcards in internal networks?:

??Avoid using wildcards in internal networks.

??Trusting network configuration alone to protect internal resources is not sufficient when internal browsers can access untrusted external domains.

5)?CORS is not a substitute for server-side security policies :

??CORS defines browser behaviors and is never a replacement for server-side protection of sensitive data - an attacker can directly forge a request from any trusted origin.

??Therefore web servers should continue to apply protections over sensitive data such as authentication and session management in addition to properly configured CORS.

Some Extra Precautions?:-

As a user you basically want to be one step ahead of phishing scams and malicious websites and downloads to minimize your chances of falling victim to a CORS attack. The following common-sense tips can help:

These steps are useful to avoid many online attacks so they are generally good practices to follow:

??Use a firewall?:- All major operating systems have a built-in incoming firewall, and all commercial routers on the market have a built-in NAT firewall. Make sure you enable these as they may protect you in the event that you click a malicious link.

??Use Anti-Virus Software :-?Only buy well-reviewed and genuine antivirus software?from legitimate vendors and configure it to run frequent scans at regular intervals.

??Never click on pop-ups because you never know where they’ll take you next.

??If your?browser displays a warning?about a website you are trying to access, you should?pay attention?and get the information you need elsewhere.

??Don’t open attachments in emails?unless you know exactly who sent the attachment and what it is.

??Don’t click links (URLs) in emails?unless you know exactly who sent the URL and where it links to. And even then, inspect the link carefully. Is it an HTTP or an HTTPS link.

??Most legitimate sites use HTTPS today. Does the link contain spelling errors (faceboook instead of facebook) If you can get to the destination without using the link then you should do that instead.

?

?