Cross-Origin Resource Sharing (CORS) vulnerabilities in web applications Theory
Introduction
Imagine the internet as a gated community where websites are individual homes. Cross-Origin Resource Sharing (CORS) is like the neighborhood security protocol that decides who can visit which house and under what circumstances. But what happens when this security system has weak spots? Let’s explore the world of CORS vulnerabilities.
What is CORS?
Before we dive into vulnerabilities, let’s understand CORS through a simple analogy. Think of CORS as a sophisticated visitor management system for websites:
- 🏠 Your website (origin) is like a house
- 🚪 Other websites (different origins) are like neighboring houses
- 🛡️ CORS is the security guard checking visitor permissions
By default, web browsers prevent websites from making requests to a different domain than the one serving the web page. CORS is the mechanism that allows controlled, selective access between different origins.
What is a CORS Vulnerability?
A CORS vulnerability occurs when the security guard (CORS policy) becomes too relaxed or tricked into allowing unauthorized access. It’s like leaving your front door open with an “All Visitors Welcome” sign.
Real-World Analogy
Imagine you have a secure bank vault (your web application). A CORS vulnerability is like having a security guard who:
- Accepts anyone’s ID without proper verification
- Allows strangers to peek into confidential areas
- It doesn’t check if visitors have legitimate reasons to enter
How to Find CORS Vulnerabilities
1. Overly Permissive Access Control
Look for these red flags in server responses:
Access-Control-Allow-Origin: *This is equivalent to saying “Everyone can enter!” in our security guard analogy.
2. Dynamic Origin Reflection
Watch for configurations that blindly echo back the Origin header:
Access-Control-Allow-Origin: https://attacker-controlled-domain.com3. Misconfigured Wildcard Domains
Vulnerable configurations might allow subdomains too broadly:
Access-Control-Allow-Origin: *.example.comHow to Exploit CORS Vulnerabilities
The Malicious Visitor Scenario
An attacker could:
- Create a malicious website
- Send crafted requests to your vulnerable application
- Steal sensitive information or perform unauthorized actions
Practical Example
// Malicious script on attacker's site
fetch('https://victim-site.com/sensitive-data', {
credentials: 'include' // Sends cookies with the request
})
.then(response => response.json())
.then(data => {
// Exfiltrate data to attacker's server
sendToAttackerServer(data);
});How to Prevent CORS Vulnerabilities
1. Strict Origin Validation
✅ DO:
Access-Control-Allow-Origin: https://trusted-domain.com❌ DON’T:
Access-Control-Allow-Origin: *2. Use Specific Configuration
- Whitelist exact origins
- Avoid using wildcards
- Implement server-side origin checking
3. Additional Security Measures
- Use
Access-Control-Allow-Credentials: falsewhen possible - Implement robust server-side authentication
- Validate and sanitize all cross-origin requests
Code Example of Secure CORS Configuration (Node.js/Express)
app.use(cors({
origin: function (origin, callback) {
const allowedOrigins = [
'https://yourtrustedomain.com',
'https://another-trusted-domain.com'
];
if (!origin || allowedOrigins.indexOf(origin) !== -1) {
callback(null, true);
} else {
callback(new Error('Not allowed by CORS'));
}
}
}));Conclusion
CORS vulnerabilities are like hidden backdoors in your web application’s security. By understanding these risks and implementing strict, thoughtful access controls, you can protect your digital assets from potential breaches.
Quick Security Checklist
✔️ Validate origins strictly
✔️ Never use wildcard (*) in production
✔️ Implement server-side checks
✔️ Use minimal necessary access rights
