The Cross-Origin Resource Sharing (CORS) is a mechanism that uses additional HTTP header to let the browser know that an application is running from one domain (Origin) and has the permission to access resources from another origin (Server). The Cross-Origin Resource Sharing header is not enabled on many servers. This misconfiguration enables the web browser to perform cross-domain request using XMLHttpRequest L2 API. The Access-Control-Allow-Origin is a response header used by a server to indicate which domains are allowed to read the response. There are many servers that allow the origin header with public access that returns the content without any additional checks. This bug might allow the attacker to access sensitive data from the communication.
The Cross-Origin request has an Origin header that identifies the domain that initiates the request. The CORS defines the protocol to be used between a web browser and a server. This method helps to determine whether a cross-origin request is allowed or not. There are few useful HTTP headers to accomplish the request. These headers are involved in this process. All major browsers support these processes like Origin, Access-Control-Request-Method, Access-Control-Request-Headers, Access-Control-Allow-Origin, Access-Control-Allow-Credentials, Access-Control-Allow-Methods, Access-Control-Allow-Headers.
The CORS specification specifies that for non-simple requests (GET or POST or requests with user credentials), a pre-flight OPTIONS request must be sent in advance. This step is to check if the type of request will have a harmful impact on the data. The pre-flight request checks the headers allowed by the server and the methods used.
If all the credentials are authorised based on the result of the OPTIONS request. Then, the browser can decide whether the request is to be allowed or not.
Example
Consider a frontend script code for a web application served from https://example.beaglesecurity.com uses XMLHttpRequest to make a request for https://api.example.beaglesecurity.com/data.json. The connection does not involve CORS, there is a chance the data can be leaked by attacks.
Impact
The attacker can extract sensitive information from the communication. The sensitive data include credentials and many more.
Mitigation / Precaution
Beagle recommends the following fixes:-
- Allow only selected and trusted domains in the Access Control Allow Origin header.
