Cross-Origin Resource Sharing (CORS) is a mechanism to relax the security rules imposed by the Same-Origin Policy (SOP), which can be too restrictive for websites that rely on cross-site data exchange for their functioning. CORS allows trusting origins different from the website domain despite the presence of a strict SOP using a series of HTTP headers. This mechanism is supported by all modern browsers and is extensively adopted by websites. In CORS, servers are responsible for validating the value of the Origin header and deciding whether or not to trust it. For this reason, developers must be thorough in coding this process not to introduce security issues. We carried out a large-scale analysis on the Tranco Top 50k to measure the prevalence of various implementation flaws due to errors or simplifications in Origin validation and found that of the 6,862 websites using CORS, 2,014 (29.4%) have at least one flaw. We next exploit the vulnerabilities introduced by these CORS flaws in a realistic real-world scenario from the point of view of two attacker models with varying capability levels, evaluating the conditions necessary for a successful attack and its consequences. We show how these flaws enable attackers to perform Denial of Service and steal victims’ sensitive data and security tokens that can then be used to mount subsequent attacks. We conclude that CORS is an effective but complicated mechanism and its use should be carefully evaluated by website operators not to risk introducing severe security issues in their systems.

Mind the CORS / Golinelli, Matteo; Arshad, Elham; Kashchuk, Dmytro; Crispo, Bruno. - (2023), pp. 213-221. (Intervento presentato al convegno IEEE TPS tenutosi a Atlanta, GA, USA nel 1st-3rd Nov 2023) [10.1109/TPS-ISA58951.2023.00035].

Mind the CORS

Golinelli, Matteo
;
Arshad, Elham;Crispo, Bruno
2023-01-01

Abstract

Cross-Origin Resource Sharing (CORS) is a mechanism to relax the security rules imposed by the Same-Origin Policy (SOP), which can be too restrictive for websites that rely on cross-site data exchange for their functioning. CORS allows trusting origins different from the website domain despite the presence of a strict SOP using a series of HTTP headers. This mechanism is supported by all modern browsers and is extensively adopted by websites. In CORS, servers are responsible for validating the value of the Origin header and deciding whether or not to trust it. For this reason, developers must be thorough in coding this process not to introduce security issues. We carried out a large-scale analysis on the Tranco Top 50k to measure the prevalence of various implementation flaws due to errors or simplifications in Origin validation and found that of the 6,862 websites using CORS, 2,014 (29.4%) have at least one flaw. We next exploit the vulnerabilities introduced by these CORS flaws in a realistic real-world scenario from the point of view of two attacker models with varying capability levels, evaluating the conditions necessary for a successful attack and its consequences. We show how these flaws enable attackers to perform Denial of Service and steal victims’ sensitive data and security tokens that can then be used to mount subsequent attacks. We conclude that CORS is an effective but complicated mechanism and its use should be carefully evaluated by website operators not to risk introducing severe security issues in their systems.
2023
2023 IEEE 5th International Conference on Trust, Privacy and Security in Intelligent Systems, and Applications
Piscataway, NJ USA
IEEE
979-8-3503-2385-6
979-8-3503-2386-3
Golinelli, Matteo; Arshad, Elham; Kashchuk, Dmytro; Crispo, Bruno
Mind the CORS / Golinelli, Matteo; Arshad, Elham; Kashchuk, Dmytro; Crispo, Bruno. - (2023), pp. 213-221. (Intervento presentato al convegno IEEE TPS tenutosi a Atlanta, GA, USA nel 1st-3rd Nov 2023) [10.1109/TPS-ISA58951.2023.00035].
File in questo prodotto:
File Dimensione Formato  
Mind-the-CORS.pdf

accesso aperto

Tipologia: Post-print referato (Refereed author’s manuscript)
Licenza: Tutti i diritti riservati (All rights reserved)
Dimensione 384.2 kB
Formato Adobe PDF
384.2 kB Adobe PDF Visualizza/Apri
Mind_the_CORS.pdf

Solo gestori archivio

Tipologia: Versione editoriale (Publisher’s layout)
Licenza: Tutti i diritti riservati (All rights reserved)
Dimensione 519.26 kB
Formato Adobe PDF
519.26 kB Adobe PDF   Visualizza/Apri

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11572/399025
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 0
  • ???jsp.display-item.citation.isi??? 0
social impact