English  |  Italiano 

CORS vulnerability exploitation examples


As already explained, when CORS is enabled, a web browser is allowed to load resources from origins (hosts) that are different from the origin of the initial user's request (the host which appears in the browser's address bar).

Exploitation example 1

You browse the web page of your bank https://www.mybank.example (which you clearly trust to some extent, since you opened an account with them) in order to log into your online banking account.
Unfortunately, your bank has decided to use CORS for parts of its website and, because of that, their website loads images, audio, video or scripts from other third-party hosts (that they trust or that they use for their own financial convenience) using CORS.
The external provider of scripts or multimedia content does not necessarily follow the same security standards followed by your bank (or it is just about to go bankrupt and therefore it urgently needs cash).
What can happen is that the images (or Javascripts) loaded from the external provider contain harmful code: the latter is extremely easy to embed into a digital image by exploiting code vulnerabilities such as widespread "buffer overflow" weaknesses in image processing libraries (for example, for the well known libpng library (Portable Network Graphics format), see [1], [2], [3], [4], [5], [6], [7], [8]). Similar considerations can be made for audio and video content.

The result is that after pointing your web browser to your bank https://www.mybank.example website you have loaded not only the trusted code supplied by your bank, but also harmful content from, say https://www.evilprovider.example, resulting in a crash of your online banking session and eventually in the compromise of sensitive data (e.g. passwords).


Exploitation example 2

You browse the web page of an "embarassing" website https://www.embarassing.example that makes you laugh and have good fun, and you have been trusting the website maintainers over the years for being respectful of visitors' privacy.
Unfortunately, your favourite embarassing website has recently signed a business agreement to deliver videos using a so-called Content Delivery Network (CDN) which possibly has not the same respect of the privacy of visitors as the real https://www.embarassing.example website.

The result is that every time that you point your browser to https://www.embarassing.example your IP (Internet Procotol) address is logged not only onto the website that you intended to visit, but also onto the host of the malicious Content Delivery Network: so your Internet browsing privacy is lost!


Exploitation example 3

For many applications, a parallel can be made between the Cross-Origin Resource Sharing in computer security and the abstract concept of "externalization of security".

Externalization (or outsourcing) is by definition the act of delegating something to somebody else. For a business, externalization of computer security (or outsourcing of computer security) means delegating the protection and confidentiality of critical or confidential information and data to other business entities in exchange for money, through a free-market agreement.

However, information security or computer security is critical to most business organizations and persons, so the act of externalizing (or outsourcing) it necessarily implies a critical dependency on another (external) organization and therefore it might conduct to a critical loss of security, should the external organization fail or breach the agreement.

Also consider that, once an organization has agreed to outsource part of its data processing, usually nothing prevents its most dangerous form, namely multi-level (or cascaded) outsourcing, from taking place.

Therefore, in most cases, including in particular information or computer security, the act of externalizing or outsourcing information and computer security generally implies an extremely high risk of loosing all security (externalization of information security will always tend to having no security in place at all).

This example can often be related to the so-called "decentralized Ponzi schemes" as well as to the so-called "Pyramid schemes", both of which are well known fraud schemes.


Exercise 1

Describe how the Cross-Origin Resource Sharing (CORS) vulnerability can lead to the leak of the Internet Protocol (IP) address of the client to third parties other than the server hosting the website visited.


Exercise 2

Describe how the Cross-Origin Resource Sharing (CORS) vulnerability can be exploited by a malicious website to steal the cookies stored by the browser.


Conclusion

The conclusion is that, exactly as it usually happens in real life, trust is not a transitive property: you do not normally trust your friends' acquaintances and sometimes not even your son's new girlfriend, until you get to know them a little bit better!
This is the reason why you should not in general trust CORS to load resources that you have not explicitly requested.



Copyright © 2017-2024 Guido Trentalancia. All rights reserved.