November 27, 2020

Cross-Origin Resource Sharing (CORS)

Now days, many web application architecture need to interact with subdomains or third-party sites in a way that requires full cross-origin access. A controlled relaxation of the same-origin policy (SOP) is possible using cross-origin resource sharing (CORS).

Access-Control-Allow-Origin

For example, suppose a website with origin gingsoft.com causes the following cross-domain REQUEST to awpsec.com:

GET /data HTTP/1.1
Host: awpsec.com
Origin : https://gingsoft.com

RESPONSE from awpsec.com:

HTTP/1.1 200 OK
...
Access-Control-Allow-Origin: https://gingsoft.com

The browser will allow code running on gingsoft.com to access the response because the origins match.

Attacks

For example, suppose an application grants access to all domains ending in:

gingsoft.com

An attacker might be able to gain access by registering the domain:

hackersgingsoft.com

Alternatively, suppose an application grants access to all domains beginning with

gingsoft.com

An attacker might be able to gain access using the domain:

gingsoft.com.evil-user.net

Defenses

  • Only allow trusted sites
  • Avoid using the whitelist header Access-Control-Allow-Origin: null
  • Avoid using wildcards in internal networks. Trusting network configuration alone to protect internal resources is not sufficient when internal browsers can access untrusted external domains.