Exploiting CORS Misconfigurations for Bitcoins and Bounties
James Kettle at AppSec USA 2016
Hear the story of how a specification’s innocent intentions toward security and simplicity mingled with Real World Code and ultimately spawned hosts of unfortunately exploitable systems.
Cross-Origin Resource Sharing (CORS) is a mechanism for relaxing the Same Origin Policy to enable communication between websites via browsers. It’s already widely understood that certain CORS configurations are dangerous. In this presentation, I'll skim over the old knowledge then coax out and share with you an array of under-appreciated but dangerous subtleties and implications buried in the CORS specification. I'll illustrate each of these with recent attacks on real websites, showing how I could have used them to steal bitcoins from two different exchanges, partially bypass Google's use of HTTPS, and requisition API keys from numerous others. I'll also show how CORS blunders can provide an invaluable link in crafting exploit chains to pivot across protocols, exploit the unexploitable via server and client-side cache poisoning, and even escalate certain open redirects into vulnerabilities that are actually notable.
In between looking at websites with harmful misconfigurations that range from depressingly predictable to utterly unfathomable, I'll reflect on where the CORS specification and implementations collaborated to save developers from themselves, and where the good intentions didn't work out so well. From this, I’ll propose several potential solutions and mitigations aimed at specification authors, browser vendors, developers and pentesters with varying degrees of optimism.
James Kettle
Head of Research, PortSwigger Web Security
James Kettle is head of research at PortSwigger Web Security, where he designs and refines vulnerability detection techniques for Burp Suite's scanner. Recent work has focused on techniques to detect unknown classes of vulnerabilities, and the new Burp Collaborator system for identifying and exploiting asynchronous blind code injection.
Cross-Origin Resource Sharing (CORS) is a mechanism for relaxing the Same Origin Policy to enable communication between websites via browsers. It’s already widely understood that certain CORS configurations are dangerous. In this presentation, I'll skim over the old knowledge then coax out and share with you an array of under-appreciated but dangerous subtleties and implications buried in the CORS specification. I'll illustrate each of these with recent attacks on real websites, showing how I could have used them to steal bitcoins from two different exchanges, partially bypass Google's use of HTTPS, and requisition API keys from numerous others. I'll also show how CORS blunders can provide an invaluable link in crafting exploit chains to pivot across protocols, exploit the unexploitable via server and client-side cache poisoning, and even escalate certain open redirects into vulnerabilities that are actually notable.
In between looking at websites with harmful misconfigurations that range from depressingly predictable to utterly unfathomable, I'll reflect on where the CORS specification and implementations collaborated to save developers from themselves, and where the good intentions didn't work out so well. From this, I’ll propose several potential solutions and mitigations aimed at specification authors, browser vendors, developers and pentesters with varying degrees of optimism.
James Kettle
Head of Research, PortSwigger Web Security
James Kettle is head of research at PortSwigger Web Security, where he designs and refines vulnerability detection techniques for Burp Suite's scanner. Recent work has focused on techniques to detect unknown classes of vulnerabilities, and the new Burp Collaborator system for identifying and exploiting asynchronous blind code injection.