1Jens Müller | Large Scale Analysis of CORS Misconfigurations 1

LargeScaleAnalysis ofCORSMisconfigurations

JensMüller

2Jens Müller | Large Scale Analysis of CORS Misconfigurations

Motivation

• HTTPsecurityheaders– X-Frame-Options– X-Content-Type-Options– X-XSS-Protection– Referrer-Policy– CSP, HSTS, HPKP– …

2

3Jens Müller | Large Scale Analysis of CORS Misconfigurations 33

4Jens Müller | Large Scale Analysis of CORS Misconfigurations

1. Background2. Misconfigurations3. CORStest4. Evaluation5. Conclusions

Overview

5Jens Müller | Large Scale Analysis of CORS Misconfigurations

WhatisCORS?

• Cross-OriginResourceSharing• Enableswebserverstoexplicitlyallowcross-siteaccesstoacertainresource

• PunchesholesintoSame-OriginPolicy

5

6Jens Müller | Large Scale Analysis of CORS Misconfigurations

Example

6

• SameOriginPolicy:Scriptscanonlyaccessdatafromthesameorigin(protocol,domain,port)

User

bank.com

WebrequestJavaScript

Origin: http://evil.com

evil.com

7Jens Müller | Large Scale Analysis of CORS Misconfigurations

Cross-OriginResourceSharing

7

Access-Control-Allow-Origin: http://good.com

User

site.com/api

WebrequestJavaScript

Origin: http://good.com

good.com

• CORS-basedwebAPIaccess

8Jens Müller | Large Scale Analysis of CORS Misconfigurations

CORSHTTPheaders

• Access-Control-Allow-Origin (ACAO)

–WhichURIisallowedaccess?• Access-Control-Allow-Credentials (ACAC)

– Accesswith(session)cookies?• SomemoreAccess-Control-… headers

8

9Jens Müller | Large Scale Analysis of CORS Misconfigurations

1. Background2. Misconfigurations3. CORStest4. Evaluation5. Conclusions

Overview

10Jens Müller | Large Scale Analysis of CORS Misconfigurations

Misconfigurations

10

11Jens Müller | Large Scale Analysis of CORS Misconfigurations

Developerbackdoor

• Insecuredeveloper/debugoriginsallowed

11

ACAO: https://fiddle.jshell.net

User

site.com/user-data

Origin: https://fiddle.jshell.net

fiddle.jshell.net

12Jens Müller | Large Scale Analysis of CORS Misconfigurations

Allowingaccesstomultiplesites

• Allowallorigins– ACAO: *– butneverwithcredentials(thereforemostlyharmless)

• Invalidconfigurations:– ACAO: site1, site2– ACAO: *.site

• Solution:DynamicallyreturnACAO basedonOrigin

12

13Jens Müller | Large Scale Analysis of CORS Misconfigurations

Subdomainsallowed

• sub.domain.com allowedaccess– exploitableifXSSinany subdomain

13

14Jens Müller | Large Scale Analysis of CORS Misconfigurations

Post/predomainwildcard

• notdomain.com isallowedaccess– cansimplyberegisteredbytheattacker

• domain.com.evil.com isallowedaccess– canbesimplybesetupbytheattacker

14

15Jens Müller | Large Scale Analysis of CORS Misconfigurations

Originreflection

• TheoriginissimplyechoedinACAO header– anysiteisallowedtoaccesstheresource

15

16Jens Müller | Large Scale Analysis of CORS Misconfigurations

Nullmisconfiguration

• ACAO: null toallowlocalHTMLfiles• null origincanbeforcedusinganiframe– anysiteisallowedtoaccesstheresource

• nullmaybereturnedbysoftware(Node.js)

16

17Jens Müller | Large Scale Analysis of CORS Misconfigurations

Protocol-relativeURLs

• ACAO: // returnedbysomewebsites• Howshouldbrowsersdealwiththis?– IE,Edge:denyallorigins– FF,Ch,Sa,Op:allowall

17

18Jens Müller | Large Scale Analysis of CORS Misconfigurations

http://site.com

Origin: http://site.com

Non-ssl sitesallowed

• Ahttp originisallowedaccesstoahttpsresource,allowsMitM tobreakencryption

18

Access-Control-Allow-Origin: http://site.com

User

https://site.com/user-data

19Jens Müller | Large Scale Analysis of CORS Misconfigurations

1. Background2. Misconfigurations3. CORStest4. Evaluation5. Conclusions

Overview

20Jens Müller | Large Scale Analysis of CORS Misconfigurations

CORStest

• SimpleCORSmisconfigurationscanner• https://github.com/RUB-NDS/CORStest• SendsrequestswithvariousOriginschecksfortheACAO/ACAC responses

20

21Jens Müller | Large Scale Analysis of CORS Misconfigurations

Demotime

21

22Jens Müller | Large Scale Analysis of CORS Misconfigurations

1. Background2. Misconfigurations3. CORStest4. Evaluation5. Conclusions

Overview

23Jens Müller | Large Scale Analysis of CORS Misconfigurations 2323

Evaluation:Alexatop1mwebsites

=29,514sites=3,750sites

24Jens Müller | Large Scale Analysis of CORS Misconfigurations 2424

Evaluation:Alexatop1mwithcredentials

=3,392sites=1,912sites

25Jens Müller | Large Scale Analysis of CORS Misconfigurations

Popularvulnerablesites

25

nystax.gov

flipboard.com

nike.net

moneymonk.nl

webtransfer.orgdiscourse.mozilla.org

oneplus.net

datacamp.com

planted.com

computerbild.de

moneyversed.com

peddler.com

falk.de

obamacare.netlemoney.com

dzpay.org

alepay.vn

americanbanker.com

wikibuy.com

apttus.com

ignite.microsoft.com

alipay.comtu-dresden.de

dasoertliche.de

chalk.comtransferwise.comduracell.com

metabo.com

korpay.com

taz.de

schwarzwaelder-bote.de

appnexus.commail.bg

profile.accounts.firefox.com

bitssa.com

events.att.com

staffhub.combitcoinpay.com

icofunding.com

jobsbeta.microsoft.com

fantrax.com

conductrics.com

knack.cominstructure.com

id.net

landr.com

conspire.com

passpack.com

paypax.info

alphaloan.co

playtestcloud.com

hyperwallet.com

officerreports.net

geschaeftskunden.telekom.de

btcclicks.compartnerevents.booking.com

wayfair.de

teltarif.de

bankofireland.com

cloud.net

academia.edu

azubi.de

kaspay.com

fullcontact.com

eismann.de

abendzeitung-muenchen.de

adidas.de

aboutyou.deporsche.com

esa.io

myshowpass.com

lonestarnationalbank.comhelpling.de

fedex.com

agoda.cominsight.rapid7.com

s.id

udacity.com

jobs.chsparkassenversicherung.de

paytop.com

crystalgraphics.com

login.worldpay.com

pixieset.com

cerego.com

sv-sachsen.de

walmart.com

wetransfer.com

flat.io

bungie.net

secure.paycor.com

libertex.comfundly.com

yummly.com

transform.microsoft.com

wallet.baidu.com

coinalarm.io garnier.de

netbank.de

token.im

payoffshore.com

loanframe.comprovinzial.de

zuto.com

native-instruments.de

ctf365.com

coinplug.com9cloud.us

citypay.com

slice.com

uberall.com

cheaptickets.de

26Jens Müller | Large Scale Analysis of CORS Misconfigurations

Reportingonamediumscale

• Hadtonotify1,912 1,500websites• Howtodothis? Contactmanually?

– security@,support@,info@, privacy@

• About300websitesfixedtheflaw…• Somedidnotwanttobelieve:– Kevinhasresolvedyourticket:“WearefullyPCI-DSScompliantandhavepassedallscans”

– “Weusethemostsecuredcloudserversandmilitarygradeencryptiontobackupyourdata”

26

27Jens Müller | Large Scale Analysis of CORS Misconfigurations

CausesforCORSmisconfigurations

27

$missing

→localhost.evil.com accessgranted

28Jens Müller | Large Scale Analysis of CORS Misconfigurations

CausesforCORSmisconfigurations

• CORSinAction containsexamplessuchasvar originWhitelist = ['null', …]

• Rack::Cors mapsorigins '' ororigins '*'intoreflectingallorigins(+CVE-2017-11173)

• crVCL PHPFrameworkjustchecksifallowedoriginstringiscontainedinOrigin value

28

29Jens Müller | Large Scale Analysis of CORS Misconfigurations

Invalidheaders

• Invalid(creative)ACAO valuesweobserved:– self, true, false, undefined, None, 0, (null), domain, origin, SAMEORIGIN

29

30Jens Müller | Large Scale Analysis of CORS Misconfigurations

1. Background2. Misconfigurations3. CORStest4. Evaluation5. Conclusions

Overview

31Jens Müller | Large Scale Analysis of CORS Misconfigurations

Conclusions

• ThereisalotofconfusiononCORS• It’stooeasytomisconfigureCORS• Canremoveallyourwebsecurity• ACAO: * ismostlyharmless

31

32Jens Müller | Large Scale Analysis of CORS Misconfigurations

Thanksforyourattention...

CORStestl https://github.com/RUB-NDS/CORStest

Questions?

32

33Jens Müller | Large Scale Analysis of CORS Misconfigurations

Somepopularsites

• Onlinebanking,insurance,bitcoins,paymentandUSstate'staxfilingsitesvulnerable:– sparkassenversicherung.de,bitcoinpay.com,coinplug.com,bankofireland.com,korpay.com,lonestarnationalbank.com,moneymonk.nl,netbank.de,paytop.com,transferwise.com,citypay.com,payoffshore.com,nystax.gov,id.net,booking.com,microsoft.com,yandex.com,geschaeftskunden.telekom.de,agoda.com,fedex.com,adidas.de,dasoertliche.de,…

33

34Jens Müller | Large Scale Analysis of CORS Misconfigurations

http://site.comhttp://any.com

Origin: http://site.com

Non-ssl sitesallowed

• Ahttp originisallowedaccesstoahttpsresource,allowsMitM tobreakencryption

34

Access-Control-Allow-Origin: http://site.com

User

https://site.com/user-data

Redirecttohttp://site.com