Secure Code Warrior - Issues with origins
Download as PPTX, PDF0 likes71 views
The document discusses security vulnerabilities related to Cross-Origin Resource Sharing (CORS) and Content Security Policy (CSP) headers, highlighting how improper configurations can expose applications to attacks like cross-site scripting and unauthorized data access. It emphasizes the importance of setting precise headers to restrict access to resources and prevent malicious content injections. The document also outlines the Same Origin Policy (SOP) as a security mechanism to isolate resources from different origins.
![Issues with Origins
Understanding the security vulnerability API privacy issues
An application offers a
private API that should
only be available
internally.
a.app.com
b.app.com
GET
/resource/
private-
info
[Private
XML Data]
Because of an error, a CORS header
is set with a wildcard, thereby
allowing public access.
Access-Control-Allow-Origin: *
An attacker has found the API and
starts sending requests to it.
GET /resource/private-info
The attacker is able
to retrieve sensitive
data that should not
be publicly available.
<?xml version="1.0"
encoding="ISO-8859-1"?>
<users>
<user>
<uname>admin</uname>
<fname>Jane</fname>
<lname>Doe</lname>
</user>
<user>
<uname>jdoe</uname>
<fname>John</fname>
<lname>Doe</lname>
</user>
</users>[Private
XML Data]](https://image.slidesharecdn.com/issueswithorigins-161030130331/85/Secure-Code-Warrior-Issues-with-origins-7-320.jpg)
Secure Code Warrior - Issues with origins
- 1. Issues with Origins Web App Vulnerabilities by Secure Code Warrior Limited is licensed under CC BY-ND 4.0
- 2. What is it? Issues with origins occur when CORS headers grant access to an application’s resources by external parties. Alternatively, a missing CSP header could allow external sources being loaded in an application. What causes it? Bad configuration of the CORS and CSP headers. The CORS header can be set too broadly by specifying a wildcard, allowing all external origins. A missing CSP header will not restrict sources that can be loaded in the application.What could happen? A private API or other application sources could be exposed to all external sources. Content injections could result in cross-site scripting or injection of other malicious content in the application. How to prevent it? Set the CSP and CORS headers with appropriate configuration, limiting sources that can be loaded in the application and sources that can be loaded by external parties.
- 3. Issues with Origins Understanding SOP What is SOP? The Same Origin Policy (SOP) is a security mechanism that isolates sources from different origins. An origin is defined as the combination of {protocol, host, port}. As a result, scripts executed on one site will not be able to access certain resources from another site, such as cookies for example. URL Outcome Reason http://www.example.com/dir/profile.html True Same protocol, host, port. http://www.example.com/dir2/user.html True Same protocol, host, port. http://www.example.com:81/dir/profile.html False Different port. https://www.example.com/dir/profile.html False Different protocol. http://example.com/dir/profile.html False Different host. SOP in practice. Let’s see whether the following URLs are considered to be the same origin as an example URL: http://www.example.com/dir/home.html
- 4. Issues with Origins Understanding CSP What is CSP? The Content Security Policy (CSP) header allows an application to define origins of content that are allowed to load on its page, such as JavaScript, HTML frames, and applets. A well-configured CSP header can prevent cross-site scripting, clickjacking, and other content injections on the web page. CSP in practice. CSP has directives for every type of resource, some examples: script-src : Defines which scripts can be executed. form-action : List valid endpoints for form submissions. child-src : Defines allowed contents for embedded frames. object-src : Limits where Flash and other plugins can be loaded from. By default, if a directive is missing, it is assumed to allow everything. This can be overwritten for most directives by specifying a “default-src”.
- 5. Issues with Origins Understanding CORS What is CORS? Cross-origin Resource Sharing is a standard consisting of headers that allow to overwrite SOP and make resources, such as APIs available to other origins. CORS request headers are automatically set when making a call to a server, after which the server replies with response headers. CORS in practice. The following CORS response headers are the most important ones. Access-Control-Allow-Origin: Specifies a URI that may access the resource. Access-Control-Allow-Methods: Specifies the allowed methods when accessing a resource.
- 6. Issues with Origins Understanding the security vulnerability Welcome, Admin! Overly lax CSP The site makes use of a CSP header to protect against XSS. It does not allow any scripts. However, by default, the child-src directive is set wide open. Content-Security-Policy: script-src ‘none’ A popular news site has drawn attention from an attacker, who tries to find vulnerabilities in the site. Latest News: Internet hacked again. The attacker has been able to inject a hidden malicious iframe on the news site that tries to install malware on the users’ PCs. Latest News: Internet hacked again. <iframe>malicious.com</iframe> Because of a badly configured CSP header, the iframe is loaded when a user views the news article. Latest News: Internet hacked again.
- 7. Issues with Origins Understanding the security vulnerability API privacy issues An application offers a private API that should only be available internally. a.app.com b.app.com GET /resource/ private- info [Private XML Data] Because of an error, a CORS header is set with a wildcard, thereby allowing public access. Access-Control-Allow-Origin: * An attacker has found the API and starts sending requests to it. GET /resource/private-info The attacker is able to retrieve sensitive data that should not be publicly available. <?xml version="1.0" encoding="ISO-8859-1"?> <users> <user> <uname>admin</uname> <fname>Jane</fname> <lname>Doe</lname> </user> <user> <uname>jdoe</uname> <fname>John</fname> <lname>Doe</lname> </user> </users>[Private XML Data]
- 8. Issues with Origins Realizing the impact A private API could accidentally be made public, resulting in loss of private information or revenue. Script injection in an application could endanger users and cause reputational damage. Without proper access control an external party might be able to modify resources.
- 9. Issues with Origins Preventing the mistake Content Security Policy Determine which resources should be able to run. Explicitly specify resources for every page. Set a default-src. Cross-origin Resource Sharing Determine whether resources need to be available to other origins. Avoid configuring too broadly. i.e. allowing public access by specifying wildcards.