Cross-Origin Resource Sharing (CORS) is a mechanism to relax the security rules imposed by the Same-Origin Policy (SOP), which can be too restrictive for websites that rely on cross-site data exchange for their functioning. CORS allows trusting origins different from the website domain despite the presence of a strict SOP using a series of HTTP headers. This mechanism is supported by all modern browsers and is extensively adopted by websites. In CORS, servers are responsible for validating the value of the Origin header and deciding whether or not to trust it. For this reason, developers must be thorough in coding this process not to introduce security issues. We carried out a large-scale analysis on the Tranco Top 50k to measure the prevalence of various implementation flaws due to errors or simplifications in Origin validation and found that of the 6,862 websites using CORS, 2,014 (29.4%) have at least one flaw. We next exploit the vulnerabilities introduced by these CORS flaws in a realistic real-world scenario from the point of view of two attacker models with varying capability levels, evaluating the conditions necessary for a successful attack and its consequences. We show how these flaws enable attackers to perform Denial of Service and steal victims’ sensitive data and security tokens that can then be used to mount subsequent attacks. We conclude that CORS is an effective but complicated mechanism and its use should be carefully evaluated by website operators not to risk introducing severe security issues in their systems.

Mind the CORS / Golinelli, Matteo; Arshad, Elham; Kashchuk, Dmytro; Crispo, Bruno. - (2023). (Intervento presentato al convegno IEEE TPS tenutosi a Atlanta, GA, USA nel 1st Nov-3rd Nov 2023).

Mind the CORS

Matteo Golinelli
;
Elham Arshad;Bruno Crispo
2023-01-01

Abstract

Cross-Origin Resource Sharing (CORS) is a mechanism to relax the security rules imposed by the Same-Origin Policy (SOP), which can be too restrictive for websites that rely on cross-site data exchange for their functioning. CORS allows trusting origins different from the website domain despite the presence of a strict SOP using a series of HTTP headers. This mechanism is supported by all modern browsers and is extensively adopted by websites. In CORS, servers are responsible for validating the value of the Origin header and deciding whether or not to trust it. For this reason, developers must be thorough in coding this process not to introduce security issues. We carried out a large-scale analysis on the Tranco Top 50k to measure the prevalence of various implementation flaws due to errors or simplifications in Origin validation and found that of the 6,862 websites using CORS, 2,014 (29.4%) have at least one flaw. We next exploit the vulnerabilities introduced by these CORS flaws in a realistic real-world scenario from the point of view of two attacker models with varying capability levels, evaluating the conditions necessary for a successful attack and its consequences. We show how these flaws enable attackers to perform Denial of Service and steal victims’ sensitive data and security tokens that can then be used to mount subsequent attacks. We conclude that CORS is an effective but complicated mechanism and its use should be carefully evaluated by website operators not to risk introducing severe security issues in their systems.
2023
2023 IEEE 5th International Conference on Trust, Privacy and Security in Intelligent Systems, and Applications
Atlanta, GA, USA
IEEE
Golinelli, Matteo; Arshad, Elham; Kashchuk, Dmytro; Crispo, Bruno
Mind the CORS / Golinelli, Matteo; Arshad, Elham; Kashchuk, Dmytro; Crispo, Bruno. - (2023). (Intervento presentato al convegno IEEE TPS tenutosi a Atlanta, GA, USA nel 1st Nov-3rd Nov 2023).
File in questo prodotto:
Non ci sono file associati a questo prodotto.

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11572/399025
 Attenzione

Attenzione! I dati visualizzati non sono stati sottoposti a validazione da parte dell'ateneo

Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus ND
  • ???jsp.display-item.citation.isi??? ND
social impact