Unsafe Cross-Origin Resource Sharing

What is Same Origin Policy(SOP)?

SOP is a security mechanism provided by browsers to restrict access between resources of two different websites via javascript.

e.g., www.example.com has SOP; then it can access data from only the same origin like www.example.com/js/main.js but not from a site like www.other-site.com/main.js

** origin** is consists of scheme, host, and port number.

Thus, SOP is used to keep privileged information safe by preventing Cross Origin Read.

What is Cross-Origin Resource Sharing(CORS)?

CORS is a security mechanism that relaxes SOP and adds some flexibility to it.

CORS is important, because an organization may have multiple websites which need to communicate with each other.

HTTP Headers related to CORS:-

Access-Control-Allow-Origin
- this specifies which host to allow for cross origin requests.
Access-Control-Allow-Credentials
- this specifies whether or not to send cookies with the request.
Access-Control-Allow-Methods
- this specifies which HTTP method is allowed for CORS.

common mis-configurations in CORS:-

(*) wildcard
- In this case, CORS is allowed from any origin domain.
- if you send request
```
GET /api/user/1234
Host: example.com
Origin: anything.com
```
  You will get response header as,
```
HTTP/1.0 200 OK
Access-Control-Allow-Origin: anything.com
Access-Control-Allow-Credentials: true
```
- So, if that response contains some private/critical data, This vulnerability can be exploited.
Pre-domain wildcard
- In this case, CORS is allowed from a domain with any prefix.
- let's say; server configured to allow domain.com and anything ending with domain.com (To allow from subdomains)
- if you send request
```
GET /api/user/1234
Host: example.com
Origin: predomain.com
```
  You will get response header as,
```
HTTP/1.0 200 OK
Access-Control-Allow-Origin: predomain.com
Access-Control-Allow-Credentials: true
```
null origin
- If origin supports null value like,
```
GET /api/user/1234
Host: example.com
Origin: null
```
  and respond like this,
```
HTTP/1.0 200 OK
Access-Control-Allow-Origin: null
Access-Control-Allow-Credentials: true
```
  Then, it is vulnerable.
- An attacker can manage to set the domain as null and exploit vulnerability, like this

```

How to test for CORS Misconfiguration?

use the following command curl https://www.sitetotest.com -H "Origin: http://anything.com" -I

Check if response header contains

HTTP/1.0 200 OK
Access-Control-Allow-Origin: anything.com
Access-Control-Allow-Credentials: true

Impact

Sensitive data of the user can be leaked.
may leak CSRF_token, which can lead to CSRF Attack.
if Access-Control-Allow-Credentials is set to true, attacker can perform privileged actions on behalf of the user.

Prevention

Allow only trusted sites, instead (*) wildcard.
Use a whitelist of the trusted domain instead of wildcard or regular expressions
If you are using Regular Expression to match the origin, ensure that It should not be bypassed.
Don't set Access-Control-Allow-Credentials to true, unless you need it.

web vulnerabilities