I will now introduce you something a little bit different than most vulnerabilities and injections. I am going to talk about the HTML5’s cross-origin resource for sharing, which is also known under a name CORS. Let’s see what it looks like, and first of all, what does it mean?
Cross-origin Resource Sharing Description
The best thing to say when explaining someone what CORS means is telling them that it presents a kind of a mechanism. That mechanism is allowing some restricted resources which may appear on some webpage. Those can be, for example, fonts. So, it allows those to be requested even from some another domain. That domain is obviously outside the domain from where the first resource was coming or served. How a web page then reacts to it? It can be able to freely embed some cross-origin images for example. Also, it is able to do the same when it comes to stylesheets, iframes or videos, and even scripts.
What CORS does too that you need to remember very well is that it defines in which way a browser and also a server will be able to interact. They need to interact because they have a purpose to determine if the cross-origin request is safe or not. Its policy is so fine-grained and is always able to apply the access controls. It does it per-requests which are most of the times based on some URL, but also on the other features of the request itself.
Cross-origin Resource Sharing Impact
When thinking about its characteristics, it may seem like at the first look that there is nothing to be afraid of here. But, we have just begun with this lesson. Let’s say that one domain is allowed by the policy (not the original one). How can it serve the attackers? The users can be potentially attacked and all that very easily because their apps will stay vulnerable. Imagine that a user is actually logged in to that app. Then, he goes to visit the domain which was allowed by CORS. What may happen? The user can receive so many various types of malicious content that are running over that domain. What if the domain is not vulnerable? That doesn’t change a situation much. There are some security vulnerabilities that stay in that domain which can later cause the situation that will help the attacker to gain the access to the user’s data.
Example Of Cross-origin Resource Sharing
I will show you know how it looks like when a browser which is compatible with CORS is making a cross-origin request.
Here, you will see the browser which is sending the OPTIONs requests. They all have Origin HTTP header.
Origin: http://www.example.com
How does the server respond then?
Access-Control-Allow-Origin: http://www.example.com
Recent Attacks Of Cross-origin Resource Sharing
Thinking about what would be the best way for you to realize how the whole attack process works. What are the flaws that we will later discuss how to fix, and of course to implement these examples I gave you. I have already told you that it can steal the user’s username and also gain the access to the app. Once the attacker gains the access to it, if he or she has enough knowledge, they will easily realize how to get to the whole server making so much damage that is better not to imagine that.
Let’s say that we have a JavaScript which has made a cross-domain XHR call. The next thing you need to realize is if it’s a GET or a HEAD. If it’s a HEAD, then you just need to be sure that there are some custom HTTP headers. If they do exist, it is possible to make an actual XHR. But, what if it’s a POST? Ask yourself first if the content type is a standard one. If yes, ask yourself the same question that goes for GET. Has the server responded with an appropriate Access-Control-* header? If yes, it’s an error.
How To Fix Cross-origin Resource Sharing
Now, you have so many information about CORS. I am sure that you have already realized how to prevent it, or how not to get into its flaws. But, let’s say that you already have some problems with it. What should you do? First of all, update your server. Then, you can try to use JSONP, a technique which will help you to recognize the GET methods. If all else fails, turn to service proxy. Add it to your server’s side of the app.
This was a little bit different lesson, but I am sure that you have enjoyed gaining so many valuable knowledge. As the technology in the world changes, our knowledge needs to follow it!