This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "CORS OriginHeaderScrutiny"
m |
Collin Sauve (talk | contribs) (That's really all you need to know - don't trust the origin header, do your own authentication. Full stop. This additional rambling about having to manage users and passwords is muddying the waters, and isn't neces. true (not all auth is password auth)) (Tag: Visual edit) |
||
(3 intermediate revisions by 2 users not shown) | |||
Line 2: | Line 2: | ||
| type=pls_review | | type=pls_review | ||
}} | }} | ||
− | |||
− | |||
− | |||
== Introduction == | == Introduction == | ||
Line 10: | Line 7: | ||
'''CORS''' stands for '''C'''ross-'''O'''rigin '''R'''esource '''S'''haring. | '''CORS''' stands for '''C'''ross-'''O'''rigin '''R'''esource '''S'''haring. | ||
− | Is a feature offering the | + | Is a feature offering the possibility for: |
* A web application to expose resources to all or restricted domain, | * A web application to expose resources to all or restricted domain, | ||
* A web client to make AJAX request for resource on other domain than is source domain. | * A web client to make AJAX request for resource on other domain than is source domain. | ||
− | This article will focus on role of the '''Origin''' header in exchange between web client and web application. | + | This article will focus on the role of the '''Origin''' header in the exchange between web client and web application. |
− | The basic process is composed | + | The basic process is composed of the steps below (sample HTTP request/response has been taken from [https://developer.mozilla.org/en-US/docs/HTTP_access_control Mozilla Wiki]): |
− | * '''Step 1 : Web client | + | * '''Step 1 : Web client sends a request to get a resource from a different domain.''' |
<pre> | <pre> | ||
Line 35: | Line 32: | ||
</pre> | </pre> | ||
− | The web client | + | The web client tells the server its source domain using the HTTP request header "'''Origin'''". |
− | * '''Step 2 : Web application | + | * '''Step 2 : Web application response to request.''' |
<pre> | <pre> | ||
Line 52: | Line 49: | ||
</pre> | </pre> | ||
− | The web application informs web client of the allowed | + | The web application informs the web client of the allowed domains using the HTTP response header '''Access-Control-Allow-Origin'''. |
− | The header can contains a '*' to indicate that all | + | The header can contains either a '*' to indicate that all domains are allowed OR a specified domain to indicate the specified allowed domain. |
* '''Step 3 : Web client process web application response.''' | * '''Step 3 : Web client process web application response.''' | ||
Line 62: | Line 59: | ||
== Risk == | == Risk == | ||
− | ''A reminder : | + | ''A reminder : This article will focus on the web application side because it's the only part in which we have the maximum of control.'' |
The risk here is that a web client can put any value into the '''Origin''' request HTTP header in order to force web application to provide it the target resource content. | The risk here is that a web client can put any value into the '''Origin''' request HTTP header in order to force web application to provide it the target resource content. | ||
− | In the case of a Browser web client, the header value is managed by the browser but another "web client" can be used (like Curl/Wget/Burp suite/...) to change/override the "Origin" header value. | + | In the case of a Browser web client, the header value is managed by the browser but another "web client" can be used (like Curl/Wget/Burp suite/...) to change/override the "Origin" header value. For this reason it is not recommended to use the Origin header to authenticate requests as coming from your site. |
== Countermeasure == | == Countermeasure == | ||
− | + | Enable authentication on the resources accessed and require that the user/application credentials be passed with the [https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS#Requests_with_credentials CORS requests]. | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
+ | It is not possible to be 100% certain that any request comes from an expected client application, since all information of a HTTP request can be faked. | ||
== Informations links == | == Informations links == | ||
Line 309: | Line 75: | ||
* Wikipedia : http://en.wikipedia.org/wiki/Cross-origin_resource_sharing | * Wikipedia : http://en.wikipedia.org/wiki/Cross-origin_resource_sharing | ||
* CORS Abuse : http://blog.secureideas.com/2013/02/grab-cors-light.html | * CORS Abuse : http://blog.secureideas.com/2013/02/grab-cors-light.html | ||
− | |||
[[Category:Java]] | [[Category:Java]] | ||
[[Category:Attack]] | [[Category:Attack]] | ||
[[Category:Injection Attack]] | [[Category:Injection Attack]] |
Latest revision as of 20:05, 25 February 2019
Introduction
CORS stands for Cross-Origin Resource Sharing.
Is a feature offering the possibility for:
- A web application to expose resources to all or restricted domain,
- A web client to make AJAX request for resource on other domain than is source domain.
This article will focus on the role of the Origin header in the exchange between web client and web application.
The basic process is composed of the steps below (sample HTTP request/response has been taken from Mozilla Wiki):
- Step 1 : Web client sends a request to get a resource from a different domain.
GET /resources/public-data/ HTTP/1.1 Host: bar.other User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20081130 Minefield/3.1b3pre Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Connection: keep-alive Referer: http://foo.example/examples/access-control/simpleXSInvocation.html Origin: http://foo.example [Request Body]
The web client tells the server its source domain using the HTTP request header "Origin".
- Step 2 : Web application response to request.
HTTP/1.1 200 OK Date: Mon, 01 Dec 2008 00:23:53 GMT Server: Apache/2.0.61 Keep-Alive: timeout=2, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: application/xml Access-Control-Allow-Origin: * [Response Body]
The web application informs the web client of the allowed domains using the HTTP response header Access-Control-Allow-Origin. The header can contains either a '*' to indicate that all domains are allowed OR a specified domain to indicate the specified allowed domain.
- Step 3 : Web client process web application response.
According to the CORS W3C specification, it's up to the web client (usually a browser) to determine, using the web application response HTTP header Access-Control-Allow-Origin, if the web client is allowed to access response data.
Risk
A reminder : This article will focus on the web application side because it's the only part in which we have the maximum of control.
The risk here is that a web client can put any value into the Origin request HTTP header in order to force web application to provide it the target resource content. In the case of a Browser web client, the header value is managed by the browser but another "web client" can be used (like Curl/Wget/Burp suite/...) to change/override the "Origin" header value. For this reason it is not recommended to use the Origin header to authenticate requests as coming from your site.
Countermeasure
Enable authentication on the resources accessed and require that the user/application credentials be passed with the CORS requests.
It is not possible to be 100% certain that any request comes from an expected client application, since all information of a HTTP request can be faked.
Informations links
- W3C Specification : http://www.w3.org/TR/cors/
- Mozilla Wiki : https://developer.mozilla.org/en-US/docs/HTTP_access_control
- Wikipedia : http://en.wikipedia.org/wiki/Cross-origin_resource_sharing
- CORS Abuse : http://blog.secureideas.com/2013/02/grab-cors-light.html