Unsafe Cross-Origin Resource Sharing

Unsafe Cross-Origin Resource Sharing

Overview of the Vulnerability

The Cross-Origin Resource Sharing (CORS) Policy is a security control implemented by browsers to extend Same-Origin Policy (SOP) to cross domain requests via an allow list. However, misconfigurations can create unsafe CORS instances where cross-domain attacks can occur. An attacker can leverage unsafe CORS policies in the application to break the SOP and exfiltrate data or execute code on users’ browsers.

Business Impact

Unsafe CORS can lead to reputational damage for the business due to a loss in confidence from users who are attempting to perform legitimate actions within the application.

Steps to Reproduce

1. Enable a HTTP intercept proxy, such as Burp Suite or OWASP ZAP

2. With the HTTP intercept proxy turned on, use a browser to navigate to: {{URL}}

3. In the HTTP intercept proxy, observe the following header:

{{Header}}

1. The following request and response pair demonstrates the unsafe CORS:

{{Request}}

{{Response}}

Proof of Concept (PoC)

The screenshot below demonstrates the full exploit:

{{screenshot}}

Recommendation(s)

To prevent CORS attacks the cross-origin requests need to be properly configured. This includes not using null and instead using a strict allow list of trusted sites in the Access-Control-Allow-Origin header. It is also good practice to not use wildcards (*) for internal networks, and include further server-side protections for sensitive data.

For more information, please see:

• https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

• https://fetch.spec.whatwg.org/#http-cors-protocol