1Jens Müller | Large Scale Analysis of CORS Misconfigurations 1
LargeScaleAnalysis ofCORSMisconfigurations
JensMüller
2Jens Müller | Large Scale Analysis of CORS Misconfigurations
Motivation
• HTTPsecurityheaders– X-Frame-Options– X-Content-Type-Options– X-XSS-Protection– Referrer-Policy– CSP, HSTS, HPKP– …
2
3Jens Müller | Large Scale Analysis of CORS Misconfigurations 33
4Jens Müller | Large Scale Analysis of CORS Misconfigurations
1. Background2. Misconfigurations3. CORStest4. Evaluation5. Conclusions
Overview
5Jens Müller | Large Scale Analysis of CORS Misconfigurations
WhatisCORS?
• Cross-OriginResourceSharing• Enableswebserverstoexplicitlyallowcross-siteaccesstoacertainresource
• PunchesholesintoSame-OriginPolicy
5
6Jens Müller | Large Scale Analysis of CORS Misconfigurations
Example
6
• SameOriginPolicy:Scriptscanonlyaccessdatafromthesameorigin(protocol,domain,port)
User
bank.com
WebrequestJavaScript
Origin: http://evil.com
evil.com
7Jens Müller | Large Scale Analysis of CORS Misconfigurations
Cross-OriginResourceSharing
7
Access-Control-Allow-Origin: http://good.com
User
site.com/api
WebrequestJavaScript
Origin: http://good.com
good.com
• CORS-basedwebAPIaccess
8Jens Müller | Large Scale Analysis of CORS Misconfigurations
CORSHTTPheaders
• Access-Control-Allow-Origin (ACAO)
–WhichURIisallowedaccess?• Access-Control-Allow-Credentials (ACAC)
– Accesswith(session)cookies?• SomemoreAccess-Control-… headers
8
9Jens Müller | Large Scale Analysis of CORS Misconfigurations
1. Background2. Misconfigurations3. CORStest4. Evaluation5. Conclusions
Overview
10Jens Müller | Large Scale Analysis of CORS Misconfigurations
Misconfigurations
10
11Jens Müller | Large Scale Analysis of CORS Misconfigurations
Developerbackdoor
• Insecuredeveloper/debugoriginsallowed
11
ACAO: https://fiddle.jshell.net
User
site.com/user-data
Origin: https://fiddle.jshell.net
fiddle.jshell.net
12Jens Müller | Large Scale Analysis of CORS Misconfigurations
Allowingaccesstomultiplesites
• Allowallorigins– ACAO: *– butneverwithcredentials(thereforemostlyharmless)
• Invalidconfigurations:– ACAO: site1, site2– ACAO: *.site
• Solution:DynamicallyreturnACAO basedonOrigin
12
13Jens Müller | Large Scale Analysis of CORS Misconfigurations
Subdomainsallowed
• sub.domain.com allowedaccess– exploitableifXSSinany subdomain
13
14Jens Müller | Large Scale Analysis of CORS Misconfigurations
Post/predomainwildcard
• notdomain.com isallowedaccess– cansimplyberegisteredbytheattacker
• domain.com.evil.com isallowedaccess– canbesimplybesetupbytheattacker
14
15Jens Müller | Large Scale Analysis of CORS Misconfigurations
Originreflection
• TheoriginissimplyechoedinACAO header– anysiteisallowedtoaccesstheresource
15
16Jens Müller | Large Scale Analysis of CORS Misconfigurations
Nullmisconfiguration
• ACAO: null toallowlocalHTMLfiles• null origincanbeforcedusinganiframe– anysiteisallowedtoaccesstheresource
• nullmaybereturnedbysoftware(Node.js)
16
17Jens Müller | Large Scale Analysis of CORS Misconfigurations
Protocol-relativeURLs
• ACAO: // returnedbysomewebsites• Howshouldbrowsersdealwiththis?– IE,Edge:denyallorigins– FF,Ch,Sa,Op:allowall
17
18Jens Müller | Large Scale Analysis of CORS Misconfigurations
http://site.com
Origin: http://site.com
Non-ssl sitesallowed
• Ahttp originisallowedaccesstoahttpsresource,allowsMitM tobreakencryption
18
Access-Control-Allow-Origin: http://site.com
User
https://site.com/user-data
19Jens Müller | Large Scale Analysis of CORS Misconfigurations
1. Background2. Misconfigurations3. CORStest4. Evaluation5. Conclusions
Overview
20Jens Müller | Large Scale Analysis of CORS Misconfigurations
CORStest
• SimpleCORSmisconfigurationscanner• https://github.com/RUB-NDS/CORStest• SendsrequestswithvariousOriginschecksfortheACAO/ACAC responses
20
21Jens Müller | Large Scale Analysis of CORS Misconfigurations
Demotime
21
22Jens Müller | Large Scale Analysis of CORS Misconfigurations
1. Background2. Misconfigurations3. CORStest4. Evaluation5. Conclusions
Overview
23Jens Müller | Large Scale Analysis of CORS Misconfigurations 2323
Evaluation:Alexatop1mwebsites
=29,514sites=3,750sites
24Jens Müller | Large Scale Analysis of CORS Misconfigurations 2424
Evaluation:Alexatop1mwithcredentials
=3,392sites=1,912sites
25Jens Müller | Large Scale Analysis of CORS Misconfigurations
Popularvulnerablesites
25
nystax.gov
flipboard.com
nike.net
moneymonk.nl
webtransfer.orgdiscourse.mozilla.org
oneplus.net
datacamp.com
planted.com
computerbild.de
moneyversed.com
peddler.com
falk.de
obamacare.netlemoney.com
dzpay.org
alepay.vn
americanbanker.com
wikibuy.com
apttus.com
ignite.microsoft.com
alipay.comtu-dresden.de
dasoertliche.de
chalk.comtransferwise.comduracell.com
metabo.com
korpay.com
taz.de
schwarzwaelder-bote.de
appnexus.commail.bg
profile.accounts.firefox.com
bitssa.com
events.att.com
staffhub.combitcoinpay.com
icofunding.com
jobsbeta.microsoft.com
fantrax.com
conductrics.com
knack.cominstructure.com
id.net
landr.com
conspire.com
passpack.com
paypax.info
alphaloan.co
playtestcloud.com
hyperwallet.com
officerreports.net
geschaeftskunden.telekom.de
btcclicks.compartnerevents.booking.com
wayfair.de
teltarif.de
bankofireland.com
cloud.net
academia.edu
azubi.de
kaspay.com
fullcontact.com
eismann.de
abendzeitung-muenchen.de
adidas.de
aboutyou.deporsche.com
esa.io
myshowpass.com
lonestarnationalbank.comhelpling.de
fedex.com
agoda.cominsight.rapid7.com
s.id
udacity.com
jobs.chsparkassenversicherung.de
paytop.com
crystalgraphics.com
login.worldpay.com
pixieset.com
cerego.com
sv-sachsen.de
walmart.com
wetransfer.com
flat.io
bungie.net
secure.paycor.com
libertex.comfundly.com
yummly.com
transform.microsoft.com
wallet.baidu.com
coinalarm.io garnier.de
netbank.de
token.im
payoffshore.com
loanframe.comprovinzial.de
zuto.com
native-instruments.de
ctf365.com
coinplug.com9cloud.us
citypay.com
slice.com
uberall.com
cheaptickets.de
26Jens Müller | Large Scale Analysis of CORS Misconfigurations
Reportingonamediumscale
• Hadtonotify1,912 1,500websites• Howtodothis? Contactmanually?
– security@,support@,info@, privacy@
• About300websitesfixedtheflaw…• Somedidnotwanttobelieve:– Kevinhasresolvedyourticket:“WearefullyPCI-DSScompliantandhavepassedallscans”
– “Weusethemostsecuredcloudserversandmilitarygradeencryptiontobackupyourdata”
26
27Jens Müller | Large Scale Analysis of CORS Misconfigurations
CausesforCORSmisconfigurations
27
$missing
→localhost.evil.com accessgranted
28Jens Müller | Large Scale Analysis of CORS Misconfigurations
CausesforCORSmisconfigurations
• CORSinAction containsexamplessuchasvar originWhitelist = ['null', …]
• Rack::Cors mapsorigins '' ororigins '*'intoreflectingallorigins(+CVE-2017-11173)
• crVCL PHPFrameworkjustchecksifallowedoriginstringiscontainedinOrigin value
28
29Jens Müller | Large Scale Analysis of CORS Misconfigurations
Invalidheaders
• Invalid(creative)ACAO valuesweobserved:– self, true, false, undefined, None, 0, (null), domain, origin, SAMEORIGIN
29
30Jens Müller | Large Scale Analysis of CORS Misconfigurations
1. Background2. Misconfigurations3. CORStest4. Evaluation5. Conclusions
Overview
31Jens Müller | Large Scale Analysis of CORS Misconfigurations
Conclusions
• ThereisalotofconfusiononCORS• It’stooeasytomisconfigureCORS• Canremoveallyourwebsecurity• ACAO: * ismostlyharmless
31
32Jens Müller | Large Scale Analysis of CORS Misconfigurations
Thanksforyourattention...
CORStestl https://github.com/RUB-NDS/CORStest
Questions?
32
33Jens Müller | Large Scale Analysis of CORS Misconfigurations
Somepopularsites
• Onlinebanking,insurance,bitcoins,paymentandUSstate'staxfilingsitesvulnerable:– sparkassenversicherung.de,bitcoinpay.com,coinplug.com,bankofireland.com,korpay.com,lonestarnationalbank.com,moneymonk.nl,netbank.de,paytop.com,transferwise.com,citypay.com,payoffshore.com,nystax.gov,id.net,booking.com,microsoft.com,yandex.com,geschaeftskunden.telekom.de,agoda.com,fedex.com,adidas.de,dasoertliche.de,…
33
34Jens Müller | Large Scale Analysis of CORS Misconfigurations
http://site.comhttp://any.com
Origin: http://site.com
Non-ssl sitesallowed
• Ahttp originisallowedaccesstoahttpsresource,allowsMitM tobreakencryption
34
Access-Control-Allow-Origin: http://site.com
User
https://site.com/user-data
Redirecttohttp://site.com