Misconfigured CORS

Evan Johnson

Why being secure isn’t getting easier

About MeMy name is EvanI’m a software engineer.I’m work on security at CloudflareI love golang.

How would you secure the internet?

The internet is not a series of castles

The internet is not a series of castles

Same-Origin Policy

Cross Origin Resource Sharing

CORS is driven by the Origin headerBased on origin header, the server is supposed to make

decisions about what CORS header to display

Access-Control-Allow-Origin: *Is not the same as reflecting the origin header. * means

no cookies

Cross Origin Resource Sharing Appropriately

Cross Origin Resource Sharing Appropriately

Reflecting all Origin headersAs Access-Control-Allow-Origin WITH Access-Control-

Allow-Credentials: trueWould be really bad.

Does anyone do this?

Why?

It basically turns off Same-Origin policy…

Which is like ... one of the worst security problems to have.

Cross Origin Resource Sharing Problem

Testing for Bad CORS

Testing for bad cors ➜ ~ curl https://streamable.com -H "Origin: https://evil.com" -I

HTTP/1.1 200 OKDate: Tue, 27 Sep 2016 03:39:01 GMTContent-Type: text/html; charset=utf-8Content-Length: 34969Connection: keep-aliveServer: nginxVary: Accept-EncodingSet-Cookie: session=D2V05A0PVBFAXGCW7NJFGCPF; Domain=.streamable.com; Expires=Sat, 13-Feb-2044 03:39:01 GMT; Path=/Access-Control-Allow-Origin: https://evil.comAccess-Control-Allow-Credentials: true

Exploit Proof of Concept$.ajax({

url:"https://streamable.com/ajax/me", success: function( data ) {

document.write("Your stream key is " + data['stream_key']); }, xhrFields: { withCredentials: true }});

How widespread is this problem?

How do I know?

I scanned the Alexa 1M for websites that:●Access-Control-Allow-Origin: <myevilsite.com>●Access-Control-Allow-Credentials: true●I followed redirects●I checked both http and https

1,514 sites with this problem config

The code - https://github.com/ejcx/badcors-massscan

●Written in go●Heavy use of concurrency patterns●Making it public after this talk, and making the results and all the

sites public.

The code -

The code -

What do you do when you find a thousand vulnerable websites?

Started tracking these misconfigurations at their src

●I started looking for the libraries that people were using to cause this behavior.

●I reported this to ○SAILS JS○Rack CORS○(some go library rs/cors.go or something)○More to come.

CORS, the source

CORS, the source

So…. What’s this about?

Complexity

Complexity in CORS

Cross origin resource sharing could be way easier.

● The authors clearly wanted to prevent people from this type of behavior.

●That’s why “*” and “Allow-Credentials: true” is not allowed.

●Why make it possible at all.

●Why do you need 6 different response headers

●Reminds me of OpenSSL

CORS is not alone...

●CSP●SRI●HPKP●Credential management●HSTS

Content Security Policy

●A new “hot” http response header●CSP is still a mess. Has 3 headers.●It is growing in complexity BY THE GOSH DARN DAY

Content Security Policy

Sub-Resource Integrity

●Load only expected assets. SRI dictates that you can only load things sub resources that match a hash that is baked in to the DOM.

●This is nice, but SRI is confusing. Who should use SRI. When is it no tnecessary? The spec is not clear.

HTTP Public Key Pinning

●There are probably a bakers dozen of websites where this is useful

●Securityheaders.io tries to make you want to turn on HPKP●Huge operational burden●Disaster. ●Complex.

HPKP

Credential Management

●In your browser NOW! Be afraid●Allows websites to log you in using the browser password

manager

HTTP Strict Transport Security

●Very normal header to set now’a’days.●It is not easy. Beware of “includeSubdomains●https://twitter.com/bcrypt/status/781969754806366208

What about usable security?

Who remembers OpenSSL?anyone? anyone?

Why not go the way of TLS1.3

It should be easy to make a castle,so where do we go from here?

Demand simplicity

●Web specifications are hard. Why are they not easy?●Cross Origin Resource Sharing needs a full rewrite.●There are three different Content Security Policy headers....●Some browsers still don’t support it.●Some browsers still don’t support SRI.

WHAT A MESS! Web Specs should be easy!

Come help us save the webThis stuff is all too hard.