1

I need some clarifications about the problems that CORS (Cross-Origin Resource Sharing) can cause. Let's suppose that site A.COM has enabled CORS, in particular:

  • Access-Control-Allow-Origin can be set to any website in the HTTP request and it is copied back in the response
  • Access-Control-Allow-Credentials can be set to true

Given that, let's suppose that in the following A.COM path: A.COM/user.php?id=USER_ID is hosted the password of the user (unrealistic, but let's go ahead).

The possible attack scenario is:

  1. Attacker creates a page hosted in B.COM where there is a Javascript function that, when the page is loaded, sends an HTTP request (with origin header set) to A.COM/user.php?id=USER_ID gets the result and store somewhere (maybe with additional http request to another attacker page)
  2. Attacker needs to force the user to load B.COM

So, my question is: As to access A.COM/user.php?id=USER_ID an user must be authenticated and have cookie set, the attacker needs to be sure that the attacked user has valid cookie for A.COM and also the attacker needs to know the web structure of A.COM? If the attacked user is not logged in and does not have any cookie set, the attack does not work?

Thank you for the clarifications.

E.

Edge7
  • 130
  • 11
  • Not sure I understand your question. `If the attacked user is not logged in and does not have any cookie set, the attack does not work?` Obviously - what confidential information would you want to read from an unauthenticated user? – Arminius Mar 31 '18 at 18:23
  • so, (logged) user authentication is required. I just wanted to confirm this – Edge7 Mar 31 '18 at 18:55

2 Answers2

2

Yes, cross site request forgery (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)) which the same origin policy mitigates, works best on a logged in user. CORS loosens this mitigation for certain trusted websites.

Geir Emblemsvag
  • 1,589
  • 1
  • 11
  • 14
1

If the attacked user is not logged in and does not have any cookie set, the attack does not work?

That's right.

Attacks due to misconfigured CORS policies work exactly as you described. If the user is not logged in, there is nothing an attacker gains.

and also the attacker needs to know the web structure of A.COM?

Yes, an attacker needs to know what requests they can force a user to submit. They may know this because they too have an account with similar rights, because they had temporary access to an account or source code, because replies to CORS requests return further links, or they may try to guess requests.

tim
  • 29,018
  • 7
  • 95
  • 119