CORS Misconfigurations On A Large Scale

Inspired by James Kettle's great OWASP AppSec Europe talk on CORS misconfigurations, we decided to fiddle around with CORS security issues a bit. We were curious how many websites out there are actually vulnerable because of dynamically generated or misconfigured CORS headers.

The issue: CORS misconfiguration

Cross-Origin Resource Sharing (CORS) is a technique to punch holes into the Same-Origin Policy (SOP) – on purpose. It enables web servers to explicitly allow cross-site access to a certain resource by returning an Access-Control-Allow-Origin (ACAO) header. Sometimes, the value is even dynamically generated based on user-input such as the Origin header send by the browser. If misconfigured, an unintended website can access the resource. Furthermore, if the Access-Control-Allow-Credentials (ACAC) server header is set, an attacker can potentially leak sensitive information from a logged in user – which is almost as bad as XSS on the actual website. Below is a list of CORS misconfigurations which can potentially be exploited. For more technical details on the issues read the this fine blogpost.

Misconfiguation	Description
Developer backdoor	Insecure developer/debug origins like JSFiddler CodePen are allowed to access the resource
Origin reflection	The origin is simply echoed in ACAO header, any site is allowed to access the resource
Null misconfiguration	Any site is allowed access by forcing the null origin via a sandboxed iframe
Pre-domain wildcard	notdomain.com is allowed access, which can simply be registered by the attacker
Post-domain wildcard	domain.com.evil.com is allowed access, can be simply be set up by the attacker
Subdomains allowed	sub.domain.com allowed access, exploitable if the attacker finds XSS in any subdomain
Non-SSL sites allowed	An HTTP origin is allowed access to a HTTPS resource, allows MitM to break encryption
Invalid CORS header	Wrong use of wildcard or multiple origins,not a security problem but should be fixed

The tool: CORStest

Testing for such vulnerabilities can easily be done with curl(1). To support some more options like, for example, parallelization we wrote CORStest, a simple Python based CORS misconfiguration checker. It takes a text file containing a list of domain names or URLs to check for misconfigurations as input and supports some further options:

usage: corstest.py [arguments] infile

positional arguments:
  infile         File with domain or URL list

optional arguments:
  -h, --help     show this help message and exit
  -c name=value  Send cookie with all requests
  -p processes   multiprocessing (default: 32)
  -s             always force ssl/tls requests
  -q             quiet, allow-credentials only
  -v             produce a more verbose output

CORStest can detect potential vulnerabilities by sending various Origin request headers and checking for the Access-Control-Allow-Origin response. An example for those of the Alexa top 750 websites which allow credentials for CORS requests is given below.

Evaluation with Alexa top 1 Million websites

To evaluate – on a larger scale – how many sites actually have wide-open CORS configurations we did run CORStest on the Alexa top 1 million sites:

$ git clone https://github.com/RUB-NDS/CORStest.git && cd cors/
$ wget -q http://s3.amazonaws.com/alexa-static/top-1m.csv.zip
$ unzip top-1m.csv.zip
$ awk -F, '{print $2}' top-1m.csv > alexa.txt
$ ./corstest.py alexa.txt

This test took about 14 hours on a decent connection and revealed the following results:

Only 29,514 websites (about 3%) actually supported CORS on their main page (aka. responded with Access-Control-Allow-Origin). Of course, many sites such as Google do only enable CORS headers for certain resources, not directly on their landing page. We could have crawled all websites (including subdomains) and fed the input to CORStest. However, this would have taken a long time and for statistics, our quick & dirty approach should still be fine. Furthermore it must be noted that the test was only performed with GET requests (without any CORS preflight) to the http:// version of websites (with redirects followed). Note that just because a website, for example, reflects the origin header it is not necessarily vulnerable. The context matters; such a configuration can be totally fine for a public sites or API endpoints intended to be accessible by everyone. It can be disastrous for payment sites or social media platforms. Furthermore, to be actually exploitable the Access-Control-Allow-Credentials: true (ACAC) header must be set. Therefore we repeated the test, this time limited to sites that return this header (see CORStest -q flag):

$ ./corstest.py -q alexa.txt

This revealed even worse results - almost half of the websites supporting ACAO and ACAC headers contained a CORS misconfigurations that could be exploited directly by a web attacker (developer backdoor, origin reflection, null misconfig, pre-/post-domain wildcard):

The Impact: SOP/SSL bypass on payment and taxpayer sites

Note that not all tested websites actually were exploitable. Some contained only public data and some others - such as Bitbucket - had CORS enabled for their main page but not for subpages containing user data. Manually testing the sites, we found to be vulnerable:

• A dozen of online banking, bitcoin and other payment sites; one of them allowed us to create a test account so we were able to write proof-of-concept code which could actually have been used to steal money
• Hundred of online shops/e-commerce sites and a bunch of hotel/flight booking sites
• Various social networks and misc sites which allow users to log in and communicate
• One US state's tax filing website (however, this one was exploitable by a MitM only)

We informed all sites we manually tested and found to be vulnerable. A simple exploit code example when logged into a website with CORS origin reflection is given below.

The Reason: Copy & Paste and broken frameworks

We were further interested in reasons for CORS misconfigurations. Particularly we wanted to learn if there is a correlation between applied technology and misconfiguration. Therefore we used WhatWeb to fingerprint the web technologies for all vulnerable sites. CORS is usually enabled either directly in the HTTP server configuration or by the web application/framework. While we could not identify a single major cause for CORS misconfigurations, we found various potential reasons. A majority of dangerous Access-Control-* headers had probably been introduced by developers, others however are based on bugs and bad practices in some products. Insights follow:

• Various websites return invalid CORS headers; besides wrong use of wildcards such as *.domain.com, ACAO headers which contain multiple origins can often be found; Other examples of invalid - but quite creative - ACAO values we observed are: self, true, false, undefined, None, 0, (null), domain, origin, SAMEORIGIN
• Rack::Cors, the de facto standard library to enable CORS for Ruby on Rails maps origins '' or origins '*' into reflecting arbitrary origins; this is dangerous, because developers would think that '' allows nothing and '*' behaves according to the spec: mostly harmless because it cannot be used to make to make 'credentialed' requests; this config error leads to origin reflection with ACAC headers on about a hundred of the tested and vulnerable websites
• A majority of websites which allow a http origin to CORS access a https resource are run on IIS; this seems to be no bug in IIS itself but rather caused by bad advises found on the Internet
• nginx is the winner when it comes serving websites with origin reflections; again, this is not an issue of nginx but of dangerous configs copied from "Stackoverflow; same problem for Phusion Passenger
• The null ACAO value may be based on programming languages that simply return null if no value is given (we haven't found any specific framework though); another explanation is that 'CORS in Action', a popular book on CORS, contains various examples with code such as var originWhitelist = ['null', ...], which could be misinterpreted by developers as safe
• If CORS is enabled in the crVCL PHP Framework, it adds ACAC and ACAO headers for a configured domain. Unfortunatelly, it also introduces a post-domain and pre-subdomain wildcard vulnerability: sub.domain.com.evil.com
• All sites that are based on "Solo Build It!" (scam?) respond with: Access-Control-Allow-Origin: http://sbiapps.sitesell.com
• Some sites have :// or // as fixed ACAO values. How should browsers deal with this? Inconsistent at least! Firefox, Chrome, Safari and Opera allow arbitrary origins while IE and Edge deny all origins.

More information

1. Hacking Tools Windows 10
2. Hack Rom Tools
3. Pentest Tools Nmap
4. Pentest Automation Tools
5. Hacker Search Tools
6. Tools For Hacker
7. Hacking Tools For Windows
8. Pentest Tools Github
9. Hacker Tools Online
10. Blackhat Hacker Tools
11. Hacking Apps
12. Hacking Tools For Beginners
13. Pentest Box Tools Download
14. What Are Hacking Tools
15. Hacking Tools
16. Pentest Tools Kali Linux
17. Hacking Tools For Mac
18. Pentest Reporting Tools
19. Pentest Tools Windows
20. Best Hacking Tools 2019
21. Hack Tools Online
22. Pentest Automation Tools
23. Bluetooth Hacking Tools Kali
24. Hack Website Online Tool
25. Hacking Tools For Kali Linux
26. Pentest Tools Bluekeep
27. Hack Tools
28. Pentest Tools Download
29. Hacker Tools For Ios
30. Pentest Tools Port Scanner
31. Hack Tools For Pc
32. Hacking Tools 2019
33. Nsa Hack Tools Download
34. Pentest Tools For Ubuntu
35. Hack Tools Github
36. Hacking Tools For Beginners
37. Hacker Tools Mac
38. Underground Hacker Sites
39. Kik Hack Tools
40. Hack Tools For Games
41. Best Hacking Tools 2020
42. Hacking Tools Download
43. Free Pentest Tools For Windows
44. Hacking Tools 2020
45. Hack Tools Online
46. Hack Tools
47. Hack Tools For Pc
48. Hacking Tools Name
49. Easy Hack Tools
50. Hack Apps
51. Hack App
52. Hacker Tools Apk
53. Hackrf Tools
54. Hack Tools Download
55. Hack Tools Github
56. Hacking Tools Mac
57. Hacker Tools For Ios
58. Hacker Tools Apk
59. Hack Tools Pc
60. Hacking Tools Github
61. How To Make Hacking Tools
62. Hacks And Tools
63. Hack Tools Pc
64. Hacking Tools Name
65. Pentest Tools Subdomain
66. Pentest Tools Find Subdomains
67. Hacking Tools Github
68. Pentest Tools Open Source
69. What Is Hacking Tools
70. Hack Tools For Ubuntu
71. Hacking Tools Mac
72. Hacking Tools Windows
73. Best Hacking Tools 2019
74. Hacker Tools For Pc
75. Hacker Tools
76. Hacking Tools Kit
77. Hacker Tools
78. Hack Rom Tools
79. Hacker Tools List
80. Tools For Hacker
81. Hack Website Online Tool
82. Pentest Tools Website
83. Pentest Tools Bluekeep
84. Pentest Tools Alternative
85. Black Hat Hacker Tools
86. Hacker Tools Windows
87. Hacker Tools Hardware
88. Nsa Hack Tools Download
89. Hacker Hardware Tools
90. How To Make Hacking Tools
91. Pentest Tools
92. Hack Tools
93. Pentest Tools Website Vulnerability
94. Hacking Tools Online
95. Pentest Tools Url Fuzzer
96. Hack Tool Apk No Root
97. Pentest Tools Android
98. Hacker Tool Kit
99. Hacking Tools Online
100. Hacker Tools
101. Hacker Tools Hardware
102. Game Hacking
103. Hacker Tools
104. Hacking Tools
105. Hacking Tools Windows 10
106. Growth Hacker Tools
107. Hacker Security Tools
108. Pentest Tools Kali Linux
109. Hack Rom Tools
110. Hacker Tools 2019
111. Hacker Tools Mac
112. What Are Hacking Tools
113. Pentest Tools Website
114. Hack Tools Mac
115. Pentest Tools Framework
116. Hacking Tools
117. Hacking Tools Download
118. Hacks And Tools
119. Pentest Tools For Ubuntu
120. Hack Tools
121. Hack Website Online Tool
122. Install Pentest Tools Ubuntu
123. Hacking Apps
124. Best Hacking Tools 2019
125. Ethical Hacker Tools
126. Hack Tool Apk No Root
127. Hacking Tools Name
128. Hack Tools For Games
129. Pentest Tools Windows
130. Free Pentest Tools For Windows
131. Hacker Tools
132. Hacker Tools 2019
133. Hacker Tools For Windows
134. Pentest Tools Github
135. Hacking App
136. New Hacker Tools
137. Hacker Tools Online
138. Hacking Tools Software
139. Pentest Tools Windows
140. Hacker Tools For Windows
141. Hacker Tool Kit
142. Hack Apps
143. Pentest Tools Windows
144. Hacker Tools For Ios
145. Hackers Toolbox
146. Hacking Tools Software