Thursday, August 20, 2020

CORS Misconfigurations On A Large Scale

Inspired by James Kettle's great OWASP AppSec Europe talk on CORS misconfigurations, we decided to fiddle around with CORS security issues a bit. We were curious how many websites out there are actually vulnerable because of dynamically generated or misconfigured CORS headers.

The issue: CORS misconfiguration

Cross-Origin Resource Sharing (CORS) is a technique to punch holes into the Same-Origin Policy (SOP) – on purpose. It enables web servers to explicitly allow cross-site access to a certain resource by returning an Access-Control-Allow-Origin (ACAO) header. Sometimes, the value is even dynamically generated based on user-input such as the Origin header send by the browser. If misconfigured, an unintended website can access the resource. Furthermore, if the Access-Control-Allow-Credentials (ACAC) server header is set, an attacker can potentially leak sensitive information from a logged in user – which is almost as bad as XSS on the actual website. Below is a list of CORS misconfigurations which can potentially be exploited. For more technical details on the issues read the this fine blogpost.

Misconfiguation Description
Developer backdoorInsecure developer/debug origins like JSFiddler CodePen are allowed to access the resource
Origin reflectionThe origin is simply echoed in ACAO header, any site is allowed to access the resource
Null misconfigurationAny site is allowed access by forcing the null origin via a sandboxed iframe
Pre-domain wildcardnotdomain.com is allowed access, which can simply be registered by the attacker
Post-domain wildcarddomain.com.evil.com is allowed access, can be simply be set up by the attacker
Subdomains allowedsub.domain.com allowed access, exploitable if the attacker finds XSS in any subdomain
Non-SSL sites allowedAn HTTP origin is allowed access to a HTTPS resource, allows MitM to break encryption
Invalid CORS headerWrong use of wildcard or multiple origins,not a security problem but should be fixed

The tool: CORStest

Testing for such vulnerabilities can easily be done with curl(1). To support some more options like, for example, parallelization we wrote CORStest, a simple Python based CORS misconfiguration checker. It takes a text file containing a list of domain names or URLs to check for misconfigurations as input and supports some further options:

usage: corstest.py [arguments] infile

positional arguments:
infile File with domain or URL list

optional arguments:
-h, --help show this help message and exit
-c name=value Send cookie with all requests
-p processes multiprocessing (default: 32)
-s always force ssl/tls requests
-q quiet, allow-credentials only
-v produce a more verbose output

CORStest can detect potential vulnerabilities by sending various Origin request headers and checking for the Access-Control-Allow-Origin response. An example for those of the Alexa top 750 websites which allow credentials for CORS requests is given below.

Evaluation with Alexa top 1 Million websites

To evaluate – on a larger scale – how many sites actually have wide-open CORS configurations we did run CORStest on the Alexa top 1 million sites:

$ git clone https://github.com/RUB-NDS/CORStest.git && cd cors/
$ wget -q http://s3.amazonaws.com/alexa-static/top-1m.csv.zip
$ unzip top-1m.csv.zip
$ awk -F, '{print $2}' top-1m.csv > alexa.txt
$ ./corstest.py alexa.txt

This test took about 14 hours on a decent connection and revealed the following results:

Only 29,514 websites (about 3%) actually supported CORS on their main page (aka. responded with Access-Control-Allow-Origin). Of course, many sites such as Google do only enable CORS headers for certain resources, not directly on their landing page. We could have crawled all websites (including subdomains) and fed the input to CORStest. However, this would have taken a long time and for statistics, our quick & dirty approach should still be fine. Furthermore it must be noted that the test was only performed with GET requests (without any CORS preflight) to the http:// version of websites (with redirects followed). Note that just because a website, for example, reflects the origin header it is not necessarily vulnerable. The context matters; such a configuration can be totally fine for a public sites or API endpoints intended to be accessible by everyone. It can be disastrous for payment sites or social media platforms. Furthermore, to be actually exploitable the Access-Control-Allow-Credentials: true (ACAC) header must be set. Therefore we repeated the test, this time limited to sites that return this header (see CORStest -q flag):

$ ./corstest.py -q alexa.txt

This revealed even worse results - almost half of the websites supporting ACAO and ACAC headers contained a CORS misconfigurations that could be exploited directly by a web attacker (developer backdoor, origin reflection, null misconfig, pre-/post-domain wildcard):

The Impact: SOP/SSL bypass on payment and taxpayer sites

Note that not all tested websites actually were exploitable. Some contained only public data and some others - such as Bitbucket - had CORS enabled for their main page but not for subpages containing user data. Manually testing the sites, we found to be vulnerable:
  • A dozen of online banking, bitcoin and other payment sites; one of them allowed us to create a test account so we were able to write proof-of-concept code which could actually have been used to steal money
  • Hundred of online shops/e-commerce sites and a bunch of hotel/flight booking sites
  • Various social networks and misc sites which allow users to log in and communicate
  • One US state's tax filing website (however, this one was exploitable by a MitM only)
We informed all sites we manually tested and found to be vulnerable. A simple exploit code example when logged into a website with CORS origin reflection is given below.


The Reason: Copy & Paste and broken frameworks

We were further interested in reasons for CORS misconfigurations. Particularly we wanted to learn if there is a correlation between applied technology and misconfiguration. Therefore we used WhatWeb to fingerprint the web technologies for all vulnerable sites. CORS is usually enabled either directly in the HTTP server configuration or by the web application/framework. While we could not identify a single major cause for CORS misconfigurations, we found various potential reasons. A majority of dangerous Access-Control-* headers had probably been introduced by developers, others however are based on bugs and bad practices in some products. Insights follow:
  • Various websites return invalid CORS headers; besides wrong use of wildcards such as *.domain.com, ACAO headers which contain multiple origins can often be found; Other examples of invalid - but quite creative - ACAO values we observed are: self, true, false, undefined, None, 0, (null), domain, origin, SAMEORIGIN
  • Rack::Cors, the de facto standard library to enable CORS for Ruby on Rails maps origins '' or origins '*' into reflecting arbitrary origins; this is dangerous, because developers would think that '' allows nothing and '*' behaves according to the spec: mostly harmless because it cannot be used to make to make 'credentialed' requests; this config error leads to origin reflection with ACAC headers on about a hundred of the tested and vulnerable websites
  • A majority of websites which allow a http origin to CORS access a https resource are run on IIS; this seems to be no bug in IIS itself but rather caused by bad advises found on the Internet
  • nginx is the winner when it comes serving websites with origin reflections; again, this is not an issue of nginx but of dangerous configs copied from "Stackoverflow; same problem for Phusion Passenger
  • The null ACAO value may be based on programming languages that simply return null if no value is given (we haven't found any specific framework though); another explanation is that 'CORS in Action', a popular book on CORS, contains various examples with code such as var originWhitelist = ['null', ...], which could be misinterpreted by developers as safe
  • If CORS is enabled in the crVCL PHP Framework, it adds ACAC and ACAO headers for a configured domain. Unfortunatelly, it also introduces a post-domain and pre-subdomain wildcard vulnerability: sub.domain.com.evil.com
  • All sites that are based on "Solo Build It!" (scam?) respond with: Access-Control-Allow-Origin: http://sbiapps.sitesell.com
  • Some sites have :// or // as fixed ACAO values. How should browsers deal with this? Inconsistent at least! Firefox, Chrome, Safari and Opera allow arbitrary origins while IE and Edge deny all origins.
More information
  1. Pentest Tools Tcp Port Scanner
  2. Hack Apps
  3. What Is Hacking Tools
  4. Hacker Tools List
  5. Pentest Recon Tools
  6. Hacker Tools For Mac
  7. Pentest Tools Review
  8. Hack Tools
  9. Kik Hack Tools
  10. Hacker Tools For Ios
  11. Pentest Reporting Tools
  12. Hacking Tools Download
  13. Hacking Tools Pc
  14. Hacking Tools Free Download
  15. Hack Tools Github
  16. Hacking Tools Online
  17. Pentest Tools Website Vulnerability
  18. Easy Hack Tools
  19. Hacker Tools For Windows
  20. Hacking Tools Online
  21. Hacker Tools For Ios
  22. Best Hacking Tools 2020
  23. Hacker Security Tools
  24. Tools Used For Hacking
  25. Hacker Tools Free
  26. How To Hack
  27. Easy Hack Tools
  28. Kik Hack Tools
  29. Hacker Tools Linux
  30. Hacker Tools List
  31. Hak5 Tools
  32. Hacking Tools For Kali Linux
  33. Hack Tools For Windows
  34. Hack Tools Online
  35. Nsa Hacker Tools
  36. Hacker Tools Free Download
  37. Bluetooth Hacking Tools Kali
  38. Black Hat Hacker Tools
  39. Pentest Tools For Ubuntu
  40. Underground Hacker Sites
  41. Nsa Hack Tools Download
  42. Hacker Tools
  43. How To Install Pentest Tools In Ubuntu
  44. Hacker Tools Mac
  45. Pentest Tools Tcp Port Scanner
  46. Pentest Reporting Tools
  47. Hacking Tools Mac
  48. Hacking Tools For Games
  49. Hack Website Online Tool
  50. Hacking Tools For Windows
  51. Hack Apps
  52. Pentest Tools Tcp Port Scanner
  53. Bluetooth Hacking Tools Kali
  54. Hack App
  55. Nsa Hack Tools Download
  56. Hacking App
  57. Pentest Reporting Tools
  58. Pentest Tools Open Source
  59. Pentest Tools Port Scanner
  60. Hacker Tools List
  61. Hacker Tools Free Download
  62. Pentest Automation Tools
  63. Usb Pentest Tools
  64. Hack Tools Github
  65. Wifi Hacker Tools For Windows
  66. Best Hacking Tools 2019
  67. How To Hack
  68. Hacking Tools Download
  69. Hacker Tools For Windows
  70. Hack And Tools
  71. Hack Website Online Tool
  72. Termux Hacking Tools 2019
  73. Usb Pentest Tools
  74. Hacking Tools Free Download
  75. Ethical Hacker Tools
  76. Black Hat Hacker Tools
  77. Hacking Tools 2020
  78. Hacker Techniques Tools And Incident Handling
  79. Hack Tools Mac
  80. Hacking Tools Mac
  81. Hacking Tools Mac
  82. Top Pentest Tools
  83. Pentest Tools Free
  84. Hacking Tools Kit
  85. Hack Tools For Games
  86. Black Hat Hacker Tools
  87. Hacks And Tools
  88. Hack Tools Mac
  89. Hacker Tools For Ios
  90. Hacking Tools Windows
  91. Hacking Tools For Windows Free Download
  92. Hacker Tools Apk Download
  93. Hacker Tools For Ios
  94. Pentest Tools Bluekeep
  95. Hackers Toolbox
  96. Hacking Tools For Kali Linux
  97. Hack Tools Mac
  98. Hack Website Online Tool
  99. Pentest Tools Url Fuzzer
  100. Hacker
  101. Hacker Tools Hardware
  102. Hack Tools
  103. Hacker Security Tools
  104. Computer Hacker
  105. Best Hacking Tools 2019
  106. Hacking Tools 2019
  107. Hacking Tools Name
  108. Hack Website Online Tool
  109. Hacking Tools Hardware
  110. Hack Tools 2019
  111. Hacker Tools Apk Download
  112. Hacker Tools For Mac
  113. Hacker Tools 2020
  114. Hacking Apps
  115. Kik Hack Tools
  116. New Hacker Tools
  117. Pentest Box Tools Download
  118. Hack Tools Download
  119. Pentest Tools Github
  120. Kik Hack Tools
  121. What Is Hacking Tools
  122. Nsa Hack Tools Download
  123. Nsa Hacker Tools
  124. Hack Tools
  125. Hack Tools For Ubuntu
  126. Hack Tools 2019
  127. Pentest Tools Online
  128. Hacking Tools 2019
  129. Game Hacking
  130. Pentest Tools For Ubuntu
  131. Pentest Tools Bluekeep
  132. Hacking Tools For Beginners
  133. Hack Tools
  134. Pentest Tools For Windows
  135. Hacking Tools Github
  136. Hacker Search Tools
  137. Pentest Tools Nmap
  138. Top Pentest Tools
  139. Hack Tools For Ubuntu
  140. Usb Pentest Tools
  141. Hacker Tools For Windows
  142. Hacker Tools Linux
  143. Pentest Tools Bluekeep
  144. Pentest Tools Open Source

No comments:

Why Should you take care of Day by Day Pregnancy?


Taking care of your baby and your body on Day by Day Pregnancy

If you're pregnant now, you should know how important is to take care of yourself and your future baby. Well, pregnant is something that every married girl dream of. Sooner or later, after you married and settle down, your husband and yourself will love to have a new comer in your house, especially if only both of you living together without living with your other family members like your parents, grandparents or any other sibling

It is extremely important to take care of your baby and yourself on day by day pregnancy. You must eat the right food and make sure that the food you ate will not harm your baby and yourself.

Yes, pregnant is great, eating right and good nutrition food for your baby is a must! but how about the excessive pounds you will get when you're pregnant and after you delivered? is it something that you must consider of? as a woman, it is extremely important to take care of our weight, fat means ugly, and what happen when we're fat? of course, we will lost our self confident at first. And what happen when we lost our self confident?

If you're not even dare to look at yourself in the mirror, do you think that your belove husband will like to hug you, kiss you and look at you like before? even if your husband looks at you like before, you might probably think, "what's wrong with him, he look at my fat meat all the time!"

well, dont' let this happens to you. It is Extremely important to get rid of the excessive fat during and after pregnancy.

Here at Pregnancy Without Pounds, I found an absolutely great course and guide for your day by day pregnancy course, free of charge. They'll send you article and some guide several times a week for you to learn how to take care of yourself and your baby.

This is what they claim: