3

I was building a website as an experiment, and tried using few ajax requests to different sites. On some sites I will get an error:

XMLHttpRequest cannot load http://example.com/path No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access.

When I opened Wireshark and seen what was going through the network, I could see that even on the sites that produced the error (meaning didn't have Access-Control-Allow-Origin in the response) the request was sent to the site. If I changed the response to include the Access-control-allow-origin: * header, the response will process as needed in my site.

My question is: If I was trying to do CSRF to the requested site, the response does not matter as much as the request does. As long the request was processed at example.com it doesn't matter if the response didn't have Access-Control-Allow-Origin header on it or not (assuming I don't care about the response, I just wanted the action to take place).

Am I correct and the protection is useless or I'm missing something?

Anders
  • 64,406
  • 24
  • 178
  • 215
t0m9er
  • 31
  • 1

1 Answers1

2

It is important to notice that CORS is not around to solve all security issues but rather a specific one which is being able to read data from a third party resource (I am on google.com but I try to read facebook.com cookies).

Take a look here:

The Cross-Origin Resource Sharing standard works by adding new HTTP headers that allow servers to describe the set of origins that are permitted to read that information using a web browser.

Due to the fact that CORS exists just to just protect the reading of a third party website, and a CSRF attack is submitting data, the CSRF attack being launched will probably work but you will not get any response (Again because of the restricted reading).

Note: There is nothing special here since you can launch the CSRF attack even if this was not possible via CORS. Instead of sending it via AJAX you can just redirect the user to the specific url using location.href = www.example.com/csrfhack=some_hack

Bubble Hacker
  • 3,615
  • 1
  • 11
  • 20
  • I understand now, thanks you. I guess my misconception was from a in which CTF which I had to execute CSRF using a tag, because of that problem. I guess we could have used ajax any way. – t0m9er Jul 05 '16 at 07:40