Notes - MCS
Analysis and Exploration of Vulnerabilities
Notes - MCS
Analysis and Exploration of Vulnerabilities
  • Analysis and Exploration of Vulnerabilities
  • Vulnerabilities
    • Vulnerabilities
      • CIA Triad
      • Vulnerability Sources
    • Vulnerability Tracking
    • Vulnerability Disclosure
  • Vulnerability Assessment of Networked Systems
    • Vulnerability Research
    • Vulnerability Assessment
    • Penetration Test
      • Scope
    • Types of Assessments
    • Vulnerability Management Life Cycle
  • Enumeration and Information Leakage
    • Network access
    • Information leakage
    • Errors
    • Web Sources and Support Files
    • Cookies
    • Ports
    • Banners
    • OS Fingerprinting
  • Injection
    • CWE-74
    • How it works
    • Common Pitfalls
    • CWE-89 SQL Injection
    • Using SQL
    • Things to consider
    • The NULL plate
    • SQLi types
    • SQL Injection - Avoiding
    • CWE-78 OS Command Injection
    • Command Override
    • Argument Exploitation
    • GTFOBins and LOLBAS
    • Environmental Variables
    • Parameter Expansion
    • Code Injection - CWE-94
    • Avoiding OS Injection
  • Broken Authentication
    • OWASP A2
    • HTTP Basics
    • HTTP Communication
    • Authentication
    • Authentication Flow State
    • Referer Header
    • SESSION ID
    • Cookies (RFC 6265)
    • JWT - JSON Web Tokens
  • XSS Cross Site Scripting
    • Prevalence and Detectability
    • Reflected XSS
    • Stored XSS
    • DOM XSS
    • Cross Site Request Forgery
    • Avoiding XSS
    • Same Origin Policy
  • Concurrency
    • Concurrency
    • CWE-361 - 7PK - Time and State
    • Basic Time Related CWEs
      • CWE-362 – Race Condition
    • Serializability
    • Database ACID characteristic
    • State Related CWEs
    • Basic Side Effects Related CWEs (Covert Channel)
    • Covert Timing Channel
    • Meltdown Type
  • Buffers
    • Buffer Overflow
    • Popularity decline
    • Potentially Vulnerable Software
    • Dominant prevalence
    • Vulnerabilities in languages (mostly C/C++)
    • Why? Memory Structure 101
    • CWE-120 Classic Overflow
      • Practical Examples
    • Stack Based Vulnerabilities
    • Stack Smashing
    • Countermeasures
    • ROP
Powered by GitBook
On this page
  • Cross Origin Embedding
  • Why is CORS needed?
  • CORS
  • Requests
  • Headers
  • Insecurity
  1. XSS Cross Site Scripting

Same Origin Policy

Sites may require external resources (Cross Origin Resources).

  • Javascripts, Images, Styles.

  • However, this should be controlled.

Current site perspective: where my resources are being loaded from?

  • Images may be remote, JS should be local, as well as styles...

Other sites: who is accessing my resources?

  • I do not want to be spreading malware (act as a storage for Stored XSS).

Web servers may state a header that sets the Same Origin Policy.

What is Same Origin Policy?

  • SOP restricts how a document or script loaded from one origin can interact with a resource from another origin.

Origin is permitted to send data to another origin but not read.

Interactions between origins are placed in three categories:

  • Cross origin writes (redirects, links, form action etc.).

  • Cross origin embedding (html tag with src/hrefs).

  • Cross origin reads (not allowed without CORS etc.).

Cross Origin Embedding

  • JavaScript <script src="..."></script>

  • CSS with <link rel="stylesheet" href="...">

  • Images with <img>

  • Media files with <video> and <audio> tags.

  • Plug-ins with <object>, <embed> and <applet>

  • Fonts with @font-face

  • Anything with <frame> and <iframe>

Why is CORS needed?

For legitimate and trusted requests to gain access to authorized data from other domains.

  • Think cross application data sharing models.

Allows data to be exchanged with trusted sites while using a relaxed Same Origin policy mode.

Application APIs exposed via web services and trusted domains require CORS to be accessible over the SOP.

CORS

Requests

Preflight is not needed if:

  • Request is a HEAD/GET/POST via XHR.

  • No Custom headers.

  • Body is text/plain.

Server responds with a CORS header.

  • Browser determines access.

  • Neither the request, nor response contain cookies.

Headers

Simple Request.

  • Origin: Header set by the client for every CORS request.

  • Value is the current domain that made the request.

Access-Control-Allow-Origin.

  • Set by the server and used by the browser to determine if the response is to be allowed or not.

  • Can be set to * to make resources public (bad practice!).

Insecurity

Several security issues arise from the improper implementation of CORS.

  • Most commonly using a universal allow notation (*) in the server headers.

Clients should not trust the received content completely.

  • Eval or render content without sanitization which could result in misplaced trust.

The application that allows CORS may become vulnerable to CSRF attacks.

Prolonged caching of Preflight responses could lead to attacks arising out of abuse of the Preflight Client Cache.

Access control decisions based on the Origin header could result in vulnerabilities as this can be spoofed by an attacker.

Misplaced Trust

Data exchange between two domains is based on trust.

  • If one of the servers involved in the exchange of data is compromised, then the model of CORS is put at risk.

Scenarios?

  • An attacker can compromise site A and host malicious content, knowing site B trusts the data that site A sends to site B.

Access Control based on Origin

The Origin header indicates that the request is from a particular domain, but does not guarantee it.

  • Header can be controlled by the attacker.

Spoofing the Origin header allows access to the page if access is based on this header.

Scenarios?

  • An attacker sets the Origin header to view sensitive information that is restricted.

  • Using cURL to set a custom origin header: curl --header 'origin:http://someserver.com'

Caching of Preflight responses

The Access-Control-Max-Age header is set to a high value, allowing browsers to cache Preflight responses.

  • It’s very important for performance reasons.

  • But caching the preflight response for longer duration can pose a security risk.

If the access-control policy is changed on the server the browser would still follow the old policy available in the Preflight Result Cache.

Scenario:

  • During updates to sites, the access policy will be out of sync until the cache expires.

Universal Allow

Setting the 'Access-Control-Allow-Origin' header to *

  • Effectively turns the content into a public resource, allowing access from any domain.

  • Very common during development, and somewhat during production.

Scenarios?

  • An attacker can steal data from an intranet site that has set this header to * by enticing a user to visit an attacker controlled site on the Internet.

  • An attacker can perform attacks on other remote apps via a victim’s browser when the victim navigates to an attacker controlled site.

Last updated 1 year ago