CORS
Cross-Origin Resource Sharing (CORS)
| Aspect | Details |
|---|---|
| Description | CORS is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the resource originated. A misconfigured CORS policy can allow attackers to make unauthorized cross-origin requests and access sensitive data. |
| Conditions to be Vulnerable | - The application sets overly permissive CORS headers (e.g., Access-Control-Allow-Origin: *). - Credentials are allowed in CORS requests (e.g., Access-Control-Allow-Credentials: true). - Sensitive endpoints are exposed to cross-origin access without proper validation of the Origin header. |
| Where to Find | - APIs or web applications that support cross-origin requests. - Web servers with overly permissive or incorrectly configured CORS policies. |
| Common Exploits (Misconfiguration) | - Allowing All Origins (Access-Control-Allow-Origin: *): The server responds with data to any domain. While not directly exploitable without credentials, it can leak sensitive information in certain scenarios. - Allowing Wildcards with Credentials ( Access-Control-Allow-Origin: * and Access-Control-Allow-Credentials: true): This combination allows any domain to send requests with credentials, exposing sensitive data such as session tokens. - Whitelisting Malicious Origins: The application allows a malicious domain (e.g., via a subdomain hijack) to make cross-origin requests, accessing sensitive resources. |
| Exploitation Conditions | - CORS with Credentials (Access-Control-Allow-Credentials: true): When credentials (like cookies, authorization headers, or SSL client certificates) are allowed with cross-origin requests, any domain that can send requests is able to steal sensitive data, provided the origin policy is permissive. - Exploiting Whitelisted Origins: If the application incorrectly trusts certain domains, an attacker could use a controlled subdomain or a compromised whitelisted domain to perform unauthorized requests. |
| Example | A web API sets Access-Control-Allow-Origin: * and Access-Control-Allow-Credentials: true. An attacker sets up a malicious site and tricks users into visiting it. The attacker’s site sends authenticated cross-origin requests to the API, exploiting the permissive CORS policy to steal sensitive user data like session tokens or personal information. |
| Mitigation | - Limit Origins: Set Access-Control-Allow-Origin to a specific list of trusted domains rather than allowing all (*). - Avoid Allowing Credentials by Default: Only set Access-Control-Allow-Credentials: true if it is essential, and even then, restrict the origins that can use credentials. - Validate the Origin Header: Perform server-side checks to ensure that the Origin header is from a trusted source before allowing the request. - Use Content-Security-Policy (CSP): Implement a strict CSP to control which domains can interact with your resources. |
Amazing CORS Resources
| Credit | URL |
|---|---|
| PortSwigger - CORS | https://portswigger.net/web-security/cors |
| Medium - Cross-Origin Resource Sharing (CORS) Vulnerability Example and Prevention | https://medium.com/@tushar_rs_/cross-origin-resource-sharing-cors-vulnerability-example-and-prevention-588d299ff185 |
| OWASP - Testing Cross-Origin Resource Sharing | https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/07-Testing_Cross_Origin_Resource_Sharing |
| HackTricks - CORS Bypass | https://book.hacktricks.xyz/pentesting-web/cors-bypass |
| SecureLayer7 - OWASP Top 10 Security Misconfiguration: CORS Vulnerability Patch | https://blog.securelayer7.net/owasp-top-10-security-misconfiguration-5-cors-vulnerability-patch/ |
| Vaadata - Understanding and Preventing CORS Misconfiguration | https://www.vaadata.com/blog/understanding-and-preventing-cors-misconfiguration/ |