Large Scale Analysisof CORS Misconfigurations · Jens Müller | Large Scale Analysis of CORS Misconfigurations 25 Popular vulnerable sites 25 nystax.gov flipboard.com nike.net moneymonk.nl

1Jens Müller | Large Scale Analysis of CORS Misconfigurations 1

LargeScaleAnalysis ofCORSMisconfigurations

JensMüller

2Jens Müller | Large Scale Analysis of CORS Misconfigurations

Motivation

• HTTPsecurityheaders– X-Frame-Options– X-Content-Type-Options– X-XSS-Protection– Referrer-Policy– CSP, HSTS, HPKP– …

2



1. Background2. Misconfigurations3. CORStest4. Evaluation5. Conclusions

Overview


WhatisCORS?

• Cross-OriginResourceSharing• Enableswebserverstoexplicitlyallowcross-siteaccesstoacertainresource

• PunchesholesintoSame-OriginPolicy

5


Example

6

• SameOriginPolicy:Scriptscanonlyaccessdatafromthesameorigin(protocol,domain,port)

User

bank.com

WebrequestJavaScript

Origin: http://evil.com

evil.com


Cross-OriginResourceSharing

7

Access-Control-Allow-Origin: http://good.com

User

site.com/api

WebrequestJavaScript

Origin: http://good.com

good.com

• CORS-basedwebAPIaccess


CORSHTTPheaders

• Access-Control-Allow-Origin (ACAO)

–WhichURIisallowedaccess?• Access-Control-Allow-Credentials (ACAC)

– Accesswith(session)cookies?• SomemoreAccess-Control-… headers

8



Overview


Misconfigurations

10


Developerbackdoor

• Insecuredeveloper/debugoriginsallowed

11

ACAO: https://fiddle.jshell.net

User

site.com/user-data

Origin: https://fiddle.jshell.net

fiddle.jshell.net


Allowingaccesstomultiplesites

• Allowallorigins– ACAO: *– butneverwithcredentials(thereforemostlyharmless)

• Invalidconfigurations:– ACAO: site1, site2– ACAO: *.site

• Solution:DynamicallyreturnACAO basedonOrigin

12


Subdomainsallowed

• sub.domain.com allowedaccess– exploitableifXSSinany subdomain

13


Post/predomainwildcard

• notdomain.com isallowedaccess– cansimplyberegisteredbytheattacker

• domain.com.evil.com isallowedaccess– canbesimplybesetupbytheattacker

14


Originreflection

• TheoriginissimplyechoedinACAO header– anysiteisallowedtoaccesstheresource

15


Nullmisconfiguration

• ACAO: null toallowlocalHTMLfiles• null origincanbeforcedusinganiframe– anysiteisallowedtoaccesstheresource

• nullmaybereturnedbysoftware(Node.js)

16


Protocol-relativeURLs

• ACAO: // returnedbysomewebsites• Howshouldbrowsersdealwiththis?– IE,Edge:denyallorigins– FF,Ch,Sa,Op:allowall

17


http://site.com

Origin: http://site.com

Non-ssl sitesallowed

• Ahttp originisallowedaccesstoahttpsresource,allowsMitM tobreakencryption

18

Access-Control-Allow-Origin: http://site.com

User

https://site.com/user-data



Overview


CORStest

• SimpleCORSmisconfigurationscanner• https://github.com/RUB-NDS/CORStest• SendsrequestswithvariousOriginschecksfortheACAO/ACAC responses

20


Demotime

21



Overview


Evaluation:Alexatop1mwebsites

=29,514sites=3,750sites


Evaluation:Alexatop1mwithcredentials

=3,392sites=1,912sites


Popularvulnerablesites

25

nystax.gov

flipboard.com

nike.net

moneymonk.nl

webtransfer.orgdiscourse.mozilla.org

oneplus.net

datacamp.com

planted.com

computerbild.de

moneyversed.com

peddler.com

falk.de

obamacare.netlemoney.com

dzpay.org

alepay.vn

americanbanker.com

wikibuy.com

apttus.com

ignite.microsoft.com

alipay.comtu-dresden.de

dasoertliche.de

chalk.comtransferwise.comduracell.com

metabo.com

korpay.com

taz.de

schwarzwaelder-bote.de

appnexus.commail.bg

profile.accounts.firefox.com

bitssa.com

events.att.com

staffhub.combitcoinpay.com

icofunding.com

jobsbeta.microsoft.com

fantrax.com

conductrics.com

knack.cominstructure.com

id.net

landr.com

conspire.com

passpack.com

paypax.info

alphaloan.co

playtestcloud.com

hyperwallet.com

officerreports.net

geschaeftskunden.telekom.de

btcclicks.compartnerevents.booking.com

wayfair.de

teltarif.de

bankofireland.com

cloud.net

academia.edu

azubi.de

kaspay.com

fullcontact.com

eismann.de

abendzeitung-muenchen.de

adidas.de

aboutyou.deporsche.com

esa.io

myshowpass.com

lonestarnationalbank.comhelpling.de

fedex.com

agoda.cominsight.rapid7.com

s.id

udacity.com

jobs.chsparkassenversicherung.de

paytop.com

crystalgraphics.com

login.worldpay.com

pixieset.com

cerego.com

sv-sachsen.de

walmart.com

wetransfer.com

flat.io

bungie.net

secure.paycor.com

libertex.comfundly.com

yummly.com

transform.microsoft.com

wallet.baidu.com

coinalarm.io garnier.de

netbank.de

token.im

payoffshore.com

loanframe.comprovinzial.de

zuto.com

native-instruments.de

ctf365.com

coinplug.com9cloud.us

citypay.com

slice.com

uberall.com

cheaptickets.de


Reportingonamediumscale

• Hadtonotify1,912 1,500websites• Howtodothis? Contactmanually?

– security@,support@,info@, privacy@

• About300websitesfixedtheflaw…• Somedidnotwanttobelieve:– Kevinhasresolvedyourticket:“WearefullyPCI-DSScompliantandhavepassedallscans”

– “Weusethemostsecuredcloudserversandmilitarygradeencryptiontobackupyourdata”

26


CausesforCORSmisconfigurations

27

$missing

→localhost.evil.com accessgranted


CausesforCORSmisconfigurations

• CORSinAction containsexamplessuchasvar originWhitelist = ['null', …]

• Rack::Cors mapsorigins '' ororigins '*'intoreflectingallorigins(+CVE-2017-11173)

• crVCL PHPFrameworkjustchecksifallowedoriginstringiscontainedinOrigin value

28


Invalidheaders

• Invalid(creative)ACAO valuesweobserved:– self, true, false, undefined, None, 0, (null), domain, origin, SAMEORIGIN

29



Overview


Conclusions

• ThereisalotofconfusiononCORS• It’stooeasytomisconfigureCORS• Canremoveallyourwebsecurity• ACAO: * ismostlyharmless

31


Thanksforyourattention...

CORStestl https://github.com/RUB-NDS/CORStest

Questions?

32


Somepopularsites

• Onlinebanking,insurance,bitcoins,paymentandUSstate'staxfilingsitesvulnerable:– sparkassenversicherung.de,bitcoinpay.com,coinplug.com,bankofireland.com,korpay.com,lonestarnationalbank.com,moneymonk.nl,netbank.de,paytop.com,transferwise.com,citypay.com,payoffshore.com,nystax.gov,id.net,booking.com,microsoft.com,yandex.com,geschaeftskunden.telekom.de,agoda.com,fedex.com,adidas.de,dasoertliche.de,…

33


http://site.comhttp://any.com

Origin: http://site.com

Non-ssl sitesallowed

• Ahttp originisallowedaccesstoahttpsresource,allowsMitM tobreakencryption

34

Access-Control-Allow-Origin: http://site.com

User

https://site.com/user-data

Redirecttohttp://site.com

Large Scale Analysisof CORS Misconfigurations · Jens Müller | Large Scale Analysis of CORS Misconfigurations 25 Popular vulnerable sites 25 nystax.gov flipboard.com nike.net moneymonk.nl

Documents