Large Scale Analysisof CORS Misconfigurations · Jens Müller | Large Scale Analysis of CORS...
Transcript of Large Scale Analysisof CORS Misconfigurations · Jens Müller | Large Scale Analysis of CORS...
![Page 1: Large Scale Analysisof CORS Misconfigurations · Jens Müller | Large Scale Analysis of CORS Misconfigurations 25 Popular vulnerable sites 25 nystax.gov flipboard.com nike.net moneymonk.nl](https://reader034.fdocuments.net/reader034/viewer/2022042621/5f52b4f82730444c605a98da/html5/thumbnails/1.jpg)
1Jens Müller | Large Scale Analysis of CORS Misconfigurations 1
LargeScaleAnalysis ofCORSMisconfigurations
JensMüller
![Page 2: Large Scale Analysisof CORS Misconfigurations · Jens Müller | Large Scale Analysis of CORS Misconfigurations 25 Popular vulnerable sites 25 nystax.gov flipboard.com nike.net moneymonk.nl](https://reader034.fdocuments.net/reader034/viewer/2022042621/5f52b4f82730444c605a98da/html5/thumbnails/2.jpg)
2Jens Müller | Large Scale Analysis of CORS Misconfigurations
Motivation
• HTTPsecurityheaders– X-Frame-Options– X-Content-Type-Options– X-XSS-Protection– Referrer-Policy– CSP, HSTS, HPKP– …
2
![Page 3: Large Scale Analysisof CORS Misconfigurations · Jens Müller | Large Scale Analysis of CORS Misconfigurations 25 Popular vulnerable sites 25 nystax.gov flipboard.com nike.net moneymonk.nl](https://reader034.fdocuments.net/reader034/viewer/2022042621/5f52b4f82730444c605a98da/html5/thumbnails/3.jpg)
3Jens Müller | Large Scale Analysis of CORS Misconfigurations 33
![Page 4: Large Scale Analysisof CORS Misconfigurations · Jens Müller | Large Scale Analysis of CORS Misconfigurations 25 Popular vulnerable sites 25 nystax.gov flipboard.com nike.net moneymonk.nl](https://reader034.fdocuments.net/reader034/viewer/2022042621/5f52b4f82730444c605a98da/html5/thumbnails/4.jpg)
4Jens Müller | Large Scale Analysis of CORS Misconfigurations
1. Background2. Misconfigurations3. CORStest4. Evaluation5. Conclusions
Overview
![Page 5: Large Scale Analysisof CORS Misconfigurations · Jens Müller | Large Scale Analysis of CORS Misconfigurations 25 Popular vulnerable sites 25 nystax.gov flipboard.com nike.net moneymonk.nl](https://reader034.fdocuments.net/reader034/viewer/2022042621/5f52b4f82730444c605a98da/html5/thumbnails/5.jpg)
5Jens Müller | Large Scale Analysis of CORS Misconfigurations
WhatisCORS?
• Cross-OriginResourceSharing• Enableswebserverstoexplicitlyallowcross-siteaccesstoacertainresource
• PunchesholesintoSame-OriginPolicy
5
![Page 6: Large Scale Analysisof CORS Misconfigurations · Jens Müller | Large Scale Analysis of CORS Misconfigurations 25 Popular vulnerable sites 25 nystax.gov flipboard.com nike.net moneymonk.nl](https://reader034.fdocuments.net/reader034/viewer/2022042621/5f52b4f82730444c605a98da/html5/thumbnails/6.jpg)
6Jens Müller | Large Scale Analysis of CORS Misconfigurations
Example
6
• SameOriginPolicy:Scriptscanonlyaccessdatafromthesameorigin(protocol,domain,port)
User
bank.com
WebrequestJavaScript
Origin: http://evil.com
evil.com
![Page 7: Large Scale Analysisof CORS Misconfigurations · Jens Müller | Large Scale Analysis of CORS Misconfigurations 25 Popular vulnerable sites 25 nystax.gov flipboard.com nike.net moneymonk.nl](https://reader034.fdocuments.net/reader034/viewer/2022042621/5f52b4f82730444c605a98da/html5/thumbnails/7.jpg)
7Jens Müller | Large Scale Analysis of CORS Misconfigurations
Cross-OriginResourceSharing
7
Access-Control-Allow-Origin: http://good.com
User
site.com/api
WebrequestJavaScript
Origin: http://good.com
good.com
• CORS-basedwebAPIaccess
![Page 8: Large Scale Analysisof CORS Misconfigurations · Jens Müller | Large Scale Analysis of CORS Misconfigurations 25 Popular vulnerable sites 25 nystax.gov flipboard.com nike.net moneymonk.nl](https://reader034.fdocuments.net/reader034/viewer/2022042621/5f52b4f82730444c605a98da/html5/thumbnails/8.jpg)
8Jens Müller | Large Scale Analysis of CORS Misconfigurations
CORSHTTPheaders
• Access-Control-Allow-Origin (ACAO)
–WhichURIisallowedaccess?• Access-Control-Allow-Credentials (ACAC)
– Accesswith(session)cookies?• SomemoreAccess-Control-… headers
8
![Page 9: Large Scale Analysisof CORS Misconfigurations · Jens Müller | Large Scale Analysis of CORS Misconfigurations 25 Popular vulnerable sites 25 nystax.gov flipboard.com nike.net moneymonk.nl](https://reader034.fdocuments.net/reader034/viewer/2022042621/5f52b4f82730444c605a98da/html5/thumbnails/9.jpg)
9Jens Müller | Large Scale Analysis of CORS Misconfigurations
1. Background2. Misconfigurations3. CORStest4. Evaluation5. Conclusions
Overview
![Page 10: Large Scale Analysisof CORS Misconfigurations · Jens Müller | Large Scale Analysis of CORS Misconfigurations 25 Popular vulnerable sites 25 nystax.gov flipboard.com nike.net moneymonk.nl](https://reader034.fdocuments.net/reader034/viewer/2022042621/5f52b4f82730444c605a98da/html5/thumbnails/10.jpg)
10Jens Müller | Large Scale Analysis of CORS Misconfigurations
Misconfigurations
10
![Page 11: Large Scale Analysisof CORS Misconfigurations · Jens Müller | Large Scale Analysis of CORS Misconfigurations 25 Popular vulnerable sites 25 nystax.gov flipboard.com nike.net moneymonk.nl](https://reader034.fdocuments.net/reader034/viewer/2022042621/5f52b4f82730444c605a98da/html5/thumbnails/11.jpg)
11Jens Müller | Large Scale Analysis of CORS Misconfigurations
Developerbackdoor
• Insecuredeveloper/debugoriginsallowed
11
ACAO: https://fiddle.jshell.net
User
site.com/user-data
Origin: https://fiddle.jshell.net
fiddle.jshell.net
![Page 12: Large Scale Analysisof CORS Misconfigurations · Jens Müller | Large Scale Analysis of CORS Misconfigurations 25 Popular vulnerable sites 25 nystax.gov flipboard.com nike.net moneymonk.nl](https://reader034.fdocuments.net/reader034/viewer/2022042621/5f52b4f82730444c605a98da/html5/thumbnails/12.jpg)
12Jens Müller | Large Scale Analysis of CORS Misconfigurations
Allowingaccesstomultiplesites
• Allowallorigins– ACAO: *– butneverwithcredentials(thereforemostlyharmless)
• Invalidconfigurations:– ACAO: site1, site2– ACAO: *.site
• Solution:DynamicallyreturnACAO basedonOrigin
12
![Page 13: Large Scale Analysisof CORS Misconfigurations · Jens Müller | Large Scale Analysis of CORS Misconfigurations 25 Popular vulnerable sites 25 nystax.gov flipboard.com nike.net moneymonk.nl](https://reader034.fdocuments.net/reader034/viewer/2022042621/5f52b4f82730444c605a98da/html5/thumbnails/13.jpg)
13Jens Müller | Large Scale Analysis of CORS Misconfigurations
Subdomainsallowed
• sub.domain.com allowedaccess– exploitableifXSSinany subdomain
13
![Page 14: Large Scale Analysisof CORS Misconfigurations · Jens Müller | Large Scale Analysis of CORS Misconfigurations 25 Popular vulnerable sites 25 nystax.gov flipboard.com nike.net moneymonk.nl](https://reader034.fdocuments.net/reader034/viewer/2022042621/5f52b4f82730444c605a98da/html5/thumbnails/14.jpg)
14Jens Müller | Large Scale Analysis of CORS Misconfigurations
Post/predomainwildcard
• notdomain.com isallowedaccess– cansimplyberegisteredbytheattacker
• domain.com.evil.com isallowedaccess– canbesimplybesetupbytheattacker
14
![Page 15: Large Scale Analysisof CORS Misconfigurations · Jens Müller | Large Scale Analysis of CORS Misconfigurations 25 Popular vulnerable sites 25 nystax.gov flipboard.com nike.net moneymonk.nl](https://reader034.fdocuments.net/reader034/viewer/2022042621/5f52b4f82730444c605a98da/html5/thumbnails/15.jpg)
15Jens Müller | Large Scale Analysis of CORS Misconfigurations
Originreflection
• TheoriginissimplyechoedinACAO header– anysiteisallowedtoaccesstheresource
15
![Page 16: Large Scale Analysisof CORS Misconfigurations · Jens Müller | Large Scale Analysis of CORS Misconfigurations 25 Popular vulnerable sites 25 nystax.gov flipboard.com nike.net moneymonk.nl](https://reader034.fdocuments.net/reader034/viewer/2022042621/5f52b4f82730444c605a98da/html5/thumbnails/16.jpg)
16Jens Müller | Large Scale Analysis of CORS Misconfigurations
Nullmisconfiguration
• ACAO: null toallowlocalHTMLfiles• null origincanbeforcedusinganiframe– anysiteisallowedtoaccesstheresource
• nullmaybereturnedbysoftware(Node.js)
16
![Page 17: Large Scale Analysisof CORS Misconfigurations · Jens Müller | Large Scale Analysis of CORS Misconfigurations 25 Popular vulnerable sites 25 nystax.gov flipboard.com nike.net moneymonk.nl](https://reader034.fdocuments.net/reader034/viewer/2022042621/5f52b4f82730444c605a98da/html5/thumbnails/17.jpg)
17Jens Müller | Large Scale Analysis of CORS Misconfigurations
Protocol-relativeURLs
• ACAO: // returnedbysomewebsites• Howshouldbrowsersdealwiththis?– IE,Edge:denyallorigins– FF,Ch,Sa,Op:allowall
17
![Page 18: Large Scale Analysisof CORS Misconfigurations · Jens Müller | Large Scale Analysis of CORS Misconfigurations 25 Popular vulnerable sites 25 nystax.gov flipboard.com nike.net moneymonk.nl](https://reader034.fdocuments.net/reader034/viewer/2022042621/5f52b4f82730444c605a98da/html5/thumbnails/18.jpg)
18Jens Müller | Large Scale Analysis of CORS Misconfigurations
http://site.com
Origin: http://site.com
Non-ssl sitesallowed
• Ahttp originisallowedaccesstoahttpsresource,allowsMitM tobreakencryption
18
Access-Control-Allow-Origin: http://site.com
User
https://site.com/user-data
![Page 19: Large Scale Analysisof CORS Misconfigurations · Jens Müller | Large Scale Analysis of CORS Misconfigurations 25 Popular vulnerable sites 25 nystax.gov flipboard.com nike.net moneymonk.nl](https://reader034.fdocuments.net/reader034/viewer/2022042621/5f52b4f82730444c605a98da/html5/thumbnails/19.jpg)
19Jens Müller | Large Scale Analysis of CORS Misconfigurations
1. Background2. Misconfigurations3. CORStest4. Evaluation5. Conclusions
Overview
![Page 20: Large Scale Analysisof CORS Misconfigurations · Jens Müller | Large Scale Analysis of CORS Misconfigurations 25 Popular vulnerable sites 25 nystax.gov flipboard.com nike.net moneymonk.nl](https://reader034.fdocuments.net/reader034/viewer/2022042621/5f52b4f82730444c605a98da/html5/thumbnails/20.jpg)
20Jens Müller | Large Scale Analysis of CORS Misconfigurations
CORStest
• SimpleCORSmisconfigurationscanner• https://github.com/RUB-NDS/CORStest• SendsrequestswithvariousOriginschecksfortheACAO/ACAC responses
20
![Page 21: Large Scale Analysisof CORS Misconfigurations · Jens Müller | Large Scale Analysis of CORS Misconfigurations 25 Popular vulnerable sites 25 nystax.gov flipboard.com nike.net moneymonk.nl](https://reader034.fdocuments.net/reader034/viewer/2022042621/5f52b4f82730444c605a98da/html5/thumbnails/21.jpg)
21Jens Müller | Large Scale Analysis of CORS Misconfigurations
Demotime
21
![Page 22: Large Scale Analysisof CORS Misconfigurations · Jens Müller | Large Scale Analysis of CORS Misconfigurations 25 Popular vulnerable sites 25 nystax.gov flipboard.com nike.net moneymonk.nl](https://reader034.fdocuments.net/reader034/viewer/2022042621/5f52b4f82730444c605a98da/html5/thumbnails/22.jpg)
22Jens Müller | Large Scale Analysis of CORS Misconfigurations
1. Background2. Misconfigurations3. CORStest4. Evaluation5. Conclusions
Overview
![Page 23: Large Scale Analysisof CORS Misconfigurations · Jens Müller | Large Scale Analysis of CORS Misconfigurations 25 Popular vulnerable sites 25 nystax.gov flipboard.com nike.net moneymonk.nl](https://reader034.fdocuments.net/reader034/viewer/2022042621/5f52b4f82730444c605a98da/html5/thumbnails/23.jpg)
23Jens Müller | Large Scale Analysis of CORS Misconfigurations 2323
Evaluation:Alexatop1mwebsites
=29,514sites=3,750sites
![Page 24: Large Scale Analysisof CORS Misconfigurations · Jens Müller | Large Scale Analysis of CORS Misconfigurations 25 Popular vulnerable sites 25 nystax.gov flipboard.com nike.net moneymonk.nl](https://reader034.fdocuments.net/reader034/viewer/2022042621/5f52b4f82730444c605a98da/html5/thumbnails/24.jpg)
24Jens Müller | Large Scale Analysis of CORS Misconfigurations 2424
Evaluation:Alexatop1mwithcredentials
=3,392sites=1,912sites
![Page 25: Large Scale Analysisof CORS Misconfigurations · Jens Müller | Large Scale Analysis of CORS Misconfigurations 25 Popular vulnerable sites 25 nystax.gov flipboard.com nike.net moneymonk.nl](https://reader034.fdocuments.net/reader034/viewer/2022042621/5f52b4f82730444c605a98da/html5/thumbnails/25.jpg)
25Jens Müller | Large Scale Analysis of CORS Misconfigurations
Popularvulnerablesites
25
nystax.gov
flipboard.com
nike.net
moneymonk.nl
webtransfer.orgdiscourse.mozilla.org
oneplus.net
datacamp.com
planted.com
computerbild.de
moneyversed.com
peddler.com
falk.de
obamacare.netlemoney.com
dzpay.org
alepay.vn
americanbanker.com
wikibuy.com
apttus.com
ignite.microsoft.com
alipay.comtu-dresden.de
dasoertliche.de
chalk.comtransferwise.comduracell.com
metabo.com
korpay.com
taz.de
schwarzwaelder-bote.de
appnexus.commail.bg
profile.accounts.firefox.com
bitssa.com
events.att.com
staffhub.combitcoinpay.com
icofunding.com
jobsbeta.microsoft.com
fantrax.com
conductrics.com
knack.cominstructure.com
id.net
landr.com
conspire.com
passpack.com
paypax.info
alphaloan.co
playtestcloud.com
hyperwallet.com
officerreports.net
geschaeftskunden.telekom.de
btcclicks.compartnerevents.booking.com
wayfair.de
teltarif.de
bankofireland.com
cloud.net
academia.edu
azubi.de
kaspay.com
fullcontact.com
eismann.de
abendzeitung-muenchen.de
adidas.de
aboutyou.deporsche.com
esa.io
myshowpass.com
lonestarnationalbank.comhelpling.de
fedex.com
agoda.cominsight.rapid7.com
s.id
udacity.com
jobs.chsparkassenversicherung.de
paytop.com
crystalgraphics.com
login.worldpay.com
pixieset.com
cerego.com
sv-sachsen.de
walmart.com
wetransfer.com
flat.io
bungie.net
secure.paycor.com
libertex.comfundly.com
yummly.com
transform.microsoft.com
wallet.baidu.com
coinalarm.io garnier.de
netbank.de
token.im
payoffshore.com
loanframe.comprovinzial.de
zuto.com
native-instruments.de
ctf365.com
coinplug.com9cloud.us
citypay.com
slice.com
uberall.com
cheaptickets.de
![Page 26: Large Scale Analysisof CORS Misconfigurations · Jens Müller | Large Scale Analysis of CORS Misconfigurations 25 Popular vulnerable sites 25 nystax.gov flipboard.com nike.net moneymonk.nl](https://reader034.fdocuments.net/reader034/viewer/2022042621/5f52b4f82730444c605a98da/html5/thumbnails/26.jpg)
26Jens Müller | Large Scale Analysis of CORS Misconfigurations
Reportingonamediumscale
• Hadtonotify1,912 1,500websites• Howtodothis? Contactmanually?
– security@,support@,info@, privacy@
• About300websitesfixedtheflaw…• Somedidnotwanttobelieve:– Kevinhasresolvedyourticket:“WearefullyPCI-DSScompliantandhavepassedallscans”
– “Weusethemostsecuredcloudserversandmilitarygradeencryptiontobackupyourdata”
26
![Page 27: Large Scale Analysisof CORS Misconfigurations · Jens Müller | Large Scale Analysis of CORS Misconfigurations 25 Popular vulnerable sites 25 nystax.gov flipboard.com nike.net moneymonk.nl](https://reader034.fdocuments.net/reader034/viewer/2022042621/5f52b4f82730444c605a98da/html5/thumbnails/27.jpg)
27Jens Müller | Large Scale Analysis of CORS Misconfigurations
CausesforCORSmisconfigurations
27
$missing
→localhost.evil.com accessgranted
![Page 28: Large Scale Analysisof CORS Misconfigurations · Jens Müller | Large Scale Analysis of CORS Misconfigurations 25 Popular vulnerable sites 25 nystax.gov flipboard.com nike.net moneymonk.nl](https://reader034.fdocuments.net/reader034/viewer/2022042621/5f52b4f82730444c605a98da/html5/thumbnails/28.jpg)
28Jens Müller | Large Scale Analysis of CORS Misconfigurations
CausesforCORSmisconfigurations
• CORSinAction containsexamplessuchasvar originWhitelist = ['null', …]
• Rack::Cors mapsorigins '' ororigins '*'intoreflectingallorigins(+CVE-2017-11173)
• crVCL PHPFrameworkjustchecksifallowedoriginstringiscontainedinOrigin value
28
![Page 29: Large Scale Analysisof CORS Misconfigurations · Jens Müller | Large Scale Analysis of CORS Misconfigurations 25 Popular vulnerable sites 25 nystax.gov flipboard.com nike.net moneymonk.nl](https://reader034.fdocuments.net/reader034/viewer/2022042621/5f52b4f82730444c605a98da/html5/thumbnails/29.jpg)
29Jens Müller | Large Scale Analysis of CORS Misconfigurations
Invalidheaders
• Invalid(creative)ACAO valuesweobserved:– self, true, false, undefined, None, 0, (null), domain, origin, SAMEORIGIN
29
![Page 30: Large Scale Analysisof CORS Misconfigurations · Jens Müller | Large Scale Analysis of CORS Misconfigurations 25 Popular vulnerable sites 25 nystax.gov flipboard.com nike.net moneymonk.nl](https://reader034.fdocuments.net/reader034/viewer/2022042621/5f52b4f82730444c605a98da/html5/thumbnails/30.jpg)
30Jens Müller | Large Scale Analysis of CORS Misconfigurations
1. Background2. Misconfigurations3. CORStest4. Evaluation5. Conclusions
Overview
![Page 31: Large Scale Analysisof CORS Misconfigurations · Jens Müller | Large Scale Analysis of CORS Misconfigurations 25 Popular vulnerable sites 25 nystax.gov flipboard.com nike.net moneymonk.nl](https://reader034.fdocuments.net/reader034/viewer/2022042621/5f52b4f82730444c605a98da/html5/thumbnails/31.jpg)
31Jens Müller | Large Scale Analysis of CORS Misconfigurations
Conclusions
• ThereisalotofconfusiononCORS• It’stooeasytomisconfigureCORS• Canremoveallyourwebsecurity• ACAO: * ismostlyharmless
31
![Page 32: Large Scale Analysisof CORS Misconfigurations · Jens Müller | Large Scale Analysis of CORS Misconfigurations 25 Popular vulnerable sites 25 nystax.gov flipboard.com nike.net moneymonk.nl](https://reader034.fdocuments.net/reader034/viewer/2022042621/5f52b4f82730444c605a98da/html5/thumbnails/32.jpg)
32Jens Müller | Large Scale Analysis of CORS Misconfigurations
Thanksforyourattention...
CORStestl https://github.com/RUB-NDS/CORStest
Questions?
32
![Page 33: Large Scale Analysisof CORS Misconfigurations · Jens Müller | Large Scale Analysis of CORS Misconfigurations 25 Popular vulnerable sites 25 nystax.gov flipboard.com nike.net moneymonk.nl](https://reader034.fdocuments.net/reader034/viewer/2022042621/5f52b4f82730444c605a98da/html5/thumbnails/33.jpg)
33Jens Müller | Large Scale Analysis of CORS Misconfigurations
Somepopularsites
• Onlinebanking,insurance,bitcoins,paymentandUSstate'staxfilingsitesvulnerable:– sparkassenversicherung.de,bitcoinpay.com,coinplug.com,bankofireland.com,korpay.com,lonestarnationalbank.com,moneymonk.nl,netbank.de,paytop.com,transferwise.com,citypay.com,payoffshore.com,nystax.gov,id.net,booking.com,microsoft.com,yandex.com,geschaeftskunden.telekom.de,agoda.com,fedex.com,adidas.de,dasoertliche.de,…
33
![Page 34: Large Scale Analysisof CORS Misconfigurations · Jens Müller | Large Scale Analysis of CORS Misconfigurations 25 Popular vulnerable sites 25 nystax.gov flipboard.com nike.net moneymonk.nl](https://reader034.fdocuments.net/reader034/viewer/2022042621/5f52b4f82730444c605a98da/html5/thumbnails/34.jpg)
34Jens Müller | Large Scale Analysis of CORS Misconfigurations
http://site.comhttp://any.com
Origin: http://site.com
Non-ssl sitesallowed
• Ahttp originisallowedaccesstoahttpsresource,allowsMitM tobreakencryption
34
Access-Control-Allow-Origin: http://site.com
User
https://site.com/user-data
Redirecttohttp://site.com