Introduction: What is CORS?

What are CORS Attacks and How can you Prevent them?

Cross-origin resource sharing (CORS) attacks are made possible through web server misconfigurations. In this article, we'll look at what CORS attacks are, how they work, and what you can do to avoid them. But before diving into CORS itself, we need to understand a little bit about another important web server security policy: the same-origin policy (SOP).

www.comparitech.com

What are CORS Attacks and How can you Prevent them?

CORS misconfigurations

CORS misconfigurations on a large scale

Inspired by James Kettle's great OWASP AppSec Europe talk on CORS misconfigurations, we decided to fiddle around with CORS security issues a bit. We were curious how many websites out there are actually vulnerable because of dynamically generated or misconfigured CORS headers.

web-in-security.blogspot.com

CORS misconfiguration’s Types

Misconfiguration	Description
Developer backdoor	Insecure developer/debug origins like JSFiddler CodePen are allowed to access the resource
Origin reflection	The origin is simply echoed in ACAO header, any site is allowed to access the resource
Null misconfiguration	Any site is allowed access by forcing the null origin via a sandboxed iframe
Pre-domain wildcard	notdomain.com is allowed access, which can simply be registered by the attacker
Post-domain wildcard	domain.com.evil.com is allowed access, can be simply be set up by the attacker
Subdomains allowed	sub.domain.com allowed access, exploitable if the attacker finds XSS in any subdomain
Non-SSL sites allowed	An HTTP origin is allowed access to a HTTPS resource, allows MitM to break encryption
Invalid CORS header	Wrong use of wildcard or multiple origins,not a security problem but should be fixed

CORS Scanner and Pen Testing

source:

Github source code:

GitHub - RUB-NDS/CORStest: A simple CORS misconfiguration scanner

Based on the research of James Kettle CORStest is a quick & dirty Python 3 tool to find Cross-Origin Resource Sharing ( CORS) misconfigurations. It takes a text file as input which may contain a list of domain names or URLs.

github.com

GitHub - RUB-NDS/CORStest: A simple CORS misconfiguration scanner

git clone https://github.com/RUB-NDS/CORStest.git

Alexa Top 1Million domain sites

88 Results on CVE site related to CORS

CVE - Search Results

The mission of the CVE® Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.

cve.mitre.org

Discuss this paper next week:

CORS paper.pdf1803.9KB

CORS [Cross Origin Resource Sharing]