Introduction: What is CORS?
CORS misconfigurations
CORS misconfiguration’s Types
Misconfiguration | Description |
Developer backdoor | Insecure developer/debug origins like JSFiddler CodePen are allowed to access the resource |
Origin reflection | The origin is simply echoed in ACAO header, any site is allowed to access the resource |
Null misconfiguration | Any site is allowed access by forcing the null origin via a sandboxed iframe |
Pre-domain wildcard | notdomain.com is allowed access, which can simply be registered by the attacker |
Post-domain wildcard | domain.com.evil.com is allowed access, can be simply be set up by the attacker |
Subdomains allowed | sub.domain.com allowed access, exploitable if the attacker finds XSS in any subdomain |
Non-SSL sites allowed | An HTTP origin is allowed access to a HTTPS resource, allows MitM to break encryption |
Invalid CORS header | Wrong use of wildcard or multiple origins,not a security problem but should be fixed |
CORS Scanner and Pen Testing
source:
Github source code:
git clone https://github.com/RUB-NDS/CORStest.git
Alexa Top 1Million domain sites
88 Results on CVE site related to CORS
Discuss this paper next week:
CORS paper.pdf1803.9KB