CORS (Cross-Origin Resource Sharing) enables resource sharing that pulls data from a lot of different sources. Like any relatively open aspect of the internet, it can be a risk. Learn how to test your web applications to create a secure CORS policy.

Origins and Key Concepts

CORS began as a way to make application resource sharing easier and more effective. With CORS, it is possible for one app to share resources with an application belonging to another domain. This leads to a web where many apps from various domains are sharing resources with one another.

For example, have you ever wondered how various airlines’ latest fares and other related data lands on your favorite travel booking app? That’s the power of the CORS policy. If you want to build an online travel booking application that integrates data and resources from all vendors and airlines, the easiest way would be to pull data from the vendor’s or airline’s APIs with CORS configured.

Specifically, CORS is a mechanism that uses additional HTTP headers to tell browsers to give a web application running at one origin access to selected resources from a different origin. A web application executes a cross-origin HTTP request when it requests a resource that has a different origin (domain, protocol, or port) from its own. A CORS request can be triggered by providing an additional header called “Origin” in the http request.

Figure 1: Travel Website integrates data from various other applications.

A misconfigured CORS policy comes with possible security vulnerabilities. Threat actors have been able to use it to obtain sensitive user data and steal bitcoin wallets.

Before getting into the specifics of CORS exploitation, we’ll discuss some core technical concepts.

A Brief History of Microservice Architecture

Before CORS was standardized, same origin policy (SOP) did not allow two web application domains with different origins to share resources. But today, the world is moving toward microservice architecture. This forms large, complex applications out of various small applications. For these small applications, resource sharing is very important. However, they are loosely coupled and deployed on different servers or hosted on different domains or ports. This is where standardized CORS plays a critical role. It allows resource sharing even when a http request is made to a different domain, different subdomain, different protocol or different port.

The Importance of SOP

SOP is a critical security mechanism that restricts how a document or script loaded from one origin can interact with a resource from another origin. It helps isolate potentially malicious documents, reducing possible attack vectors. Web applications are often hit or targeted with Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF) attacks. In response to this issue, web application developers have used SOP.

A key component of SOP is the idea of “origin”, which requires that two web pages in the same domain, host and protocol, are of the same origin. The format of origins traditionally follows ‘Origin= (domain, port, protocol)’.

For example, a domain running in a browser cannot access the data on other domains running in the same browser. This is because the web browser enforces the same origin policy, isolating the data being shared between two different applications on the same browser.

To better understand SOP, let’s use an example web URL: https://www.storecompany[.]com. The below table helps us understand more about ‘Same-Origin’.

 URL  Outcome
http://store.company[.]com/dir/page.html Starting URL
 http://store.company[.]com/dir2/other.html Same-Origin
 http://store.company[.]com/dir/inner/another.html Same-Origin
 https://store.company[.]com/page.html Different Protocol
 https://store.company[.]com:443/page.html Different Port
 http://swing.company[.]com/page.html Different Domain
Scroll to view full table

How to Use CORS

A CORS request can be triggered by providing an additional header called “Origin” in the http request. For example, a client request with CORS origin header would look like this:

Get /data   http/1.1

Host: Service.domain-A.com

Origin: http://www.example[.]com

In this example, domain www.example[.]com wants to fetch resources from service.domain-A.com. If domain service.domain-A.com wishes to share its resources, then the requesting domain www.example[.]com should be mentioned in the “Access-Control-Allow-Origin” header server side. For example:

HTTP/1.1 200 OK

Access-Control-Allow-Origin: http://www.example[.]com

This response from server Service.domain-A.com shows that www.example[.]com can fetch its resources. Along with the “Access-Control-Allow-Origin” header, there are many more server side CORS configurations and policies that could be configured to enhance stricter policies.

The Keys to CORS Implementation: Headers

The CORS standard has been updated with multiple headers to control resource sharing policies across multiple domains. Examples of these headers are included below:

Request Header: Origin

The Origin request header indicates where a fetch originates from. It doesn’t include any path information, only the server name. It is sent from CORS requests, as well as with POST requests. It is similar to the Referrer header but, unlike that header, it doesn’t disclose the whole path.

Response Header: Access-Control-Allow-Origin

The Access-Control-Allow-Origin response header indicates whether the response can be shared with requesting code from the given origin.

Example of an Access-Control-Allow-Origin header:

Response Header: Access-Control-Allow Header

The Access-Control-Allow-Header’s response header is used in response to a preflight request which includes the Access-Control-Request-Header to indicate which HTTP headers can be used during the actual request. This header is required if the request has an Access-Control-Request Header.

Example of an Access-Control-Allow Header:

Response Header: Access-Control-Allow-Method

The Access-Control-Allow-Method’s response header specifies the method or methods allowed when accessing the resource in response to a preflight request.

Syntax:

Response Header: Access-Control-Allow-Credentials

The default behavior of CORS is for requests to be passed without credentials such as cookies or the authorization header. However, the cross-domain server can permit reading the response when credentials are passed to it by setting the CORS Access-Control-Allow-Credentials header to true. If the requesting website uses JavaScript to declare that it is sending cookies with the request, then the browser will permit the requesting website to read the response, because the Access-Control-Allow-Credentials response header is set to true.

Syntax:

Understanding CORS Pre-Flight Requests

Before you request a server or another domain’s resources, the browser/client sends a preflight HTTP request of the OPTIONS method to the server/domain. This appends three HTTP request headers and looks like Access-Control-Request-Method, Access-Control-Request-Headers, and Origin. This allows the receiving system to understand whether the requested ‘resource’ and action ‘method’ could be trusted and allowed by the server/domain. If the server does not wish to allow the requested method and resource, then the server rejects all the subsequent requests.

For example, a client might ask the server to perform a DELETE request. But, before sending the actual delete request, the browser makes an OPTIONS call with three http headers to find out which method the server supports.

If the server allows it, it will respond to the OPTIONS call with the ‘Access-Control-Allow-Method’ header which mentions the DELETE method.

OPTIONS /resource/bob

Access-Control-Request-Method: DELETE

Access-Control-Request-Headers: origin, x-requested-with

Origin: https://bob.alice[.]org

HTTP/1.1 204 No Content

Connection: keep-alive

Access-Control-Allow-Origin: https://bob.alice[.]org

Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE

Access-Control-Max-Age: 86400

Common Misconfigurations

Many developers have overlooked CORS. These common mistakes can be exploited by threat actors and/or reported on in bounty programs. In this section, we will discuss common misconfigurations of CORS that penetration testers and bounty experts might identify.

1. Setting Wildcard (*) in Response Header

The Allow-Access-Control-Origin response header is configured to allow and control the resources that need to be shared with another requesting domain. It is misconfigured or set to (*) by default. This means that any domain can access the server resources.

By crafting or writing an XHR (XML HTTP REQUEST), an attacker could redirect the resource to the attacker-controlled server, thus compromising the user’s sensitive and confidential information.

Verifying for (*) Wildcard Configuration

Request

GET /api/account-user

Host: www.mysite.com

Origin: www.mysite.com

In the below response, the header Allow-Access-Control-Origin is set to wildcard. It means any domain can access the resources.

Response

HTTP/1.0 200 OK

Access-Control-Allow-Origin: *

Access-Control-Allow-Credentials: true

2. Improper Regular Expression / Pre-Domain Wildcard (*) in Origin Header

In some cases, if the website or domain (example.com) wants to allow requests from its subdomains (ftp.example.com, dns.example.com etc.) the developers may use the below code to allow CORS.

In this code, any request containing (anystring).example[.]com is allowed to fetch resources from “example.com.” An attacker could create a fake website with the name “attacker.example.com” and force “example.com” to view it as a legitimate subdomain. This allows the legitimate site to share its resources with the attacker-controlled site.

In the second line of the code, “.” itself is a regular expression which means “any single character.” This would make the string “attackexample[.]com” match the regular expression. This leads to a situation where the machine would falsely interpret the string as a valid, allowed subdomain. In fact, it is a completely different domain. Therefore, an attacker could create a fake website “attackexample[.]com,” that would force the website “example.com” to share its sensitive resources.

Verifying for (*) Subdomain Wildcard Configuration

Request

GET /api/account user

Host: mysite.com

Origin: example.com

Response

HTTP/1.0 200 OK

Access-Control-Allow-Origin: *.example.com

Access-Control-Allow-Credentials: true

3. Null Origin Header

The specification of the Origin header supports the “null” value. If a cross-origin resource redirects to another resource at a new origin, the browser will set the value of the Origin header to “null” after redirecting. If the server supports the “null” Origin by allowing it in “Allow-Access-Control-Origin,” attackers could abuse this misconfiguration.

Verifying for Mis-Configured “Null” Origin

Request

GET /sensitive data
Host: vulnerablesite.com
Origin: null

Response

HTTP/1.1 200 OK
Access-Control-Allow-Origin: null
Access-Control-Allow-Credentials: true

In this situation, an attacker can use various tricks to generate a cross-domain request containing the value “null.” This will satisfy the whitelist, leading to cross-domain access. For example, this can be done using a sandboxed Inline Frame cross-Origin code.

Verifying Misconfiguration Using a Demo Application

The application and domain used below are part of a fictional internally hosted application. The domain corslab[.]com does not exist and is not a public domain, but it will be helpful as an illustration.

Step 1: Access the website using a proxy tool.

Step 2: Add “Origin” request header to verify the CORS configured by corslab[.]com

Step 3: The HTTP response below indicates that corslab[.]com allows its resources to be shared with any requesting Origin.

The above step shows how to verify a misconfigured CORS. This technique could also be leveraged by a threat actor using some JavaScript skills to exploit this vulnerability, so be aware of it if you’re diagnosing a problem.

CORS Mitigation and Best Practices

Organizations should test their mitigation measures for CORS to identify and remediate any security flaws. In particular, look for some common errors. Test whether cross-domain requests are allowed from any origin or not, thus opening them to content exfiltration attacks. Ensure the origin is properly specified in the ACAO if the web resource contains sensitive information. Additionally, confirm that arbitrary input of the origin should not be allowed, as dynamically reflected origin is readily exploitable. Lastly, avoid whitelisting null and wildcards in internal networks. Cross-domain requests and sandboxed requests can specify the null origin. And, when you can, use a skilled group of penetration testers to assess your organization’s adherence to CORS best practices.

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today