Hacking Intranet from Outside: Security Problems of Cross Origin Resource Sharing (CORS)

Presented at DEF CON China Beta (2018), May 13, 2018, 11 a.m. (60 minutes)

The default Same Origin Policy essentially restricts access of cross-origin network resources to be "write-only". However, many web applications require "read" access to contents from a different origin, so developers have come up with workarounds, such as JSON-P, to bypass the default Same Origin Policy restriction. Such ad-hoc workarounds leave a number of inherent security issues. CORS (cross-origin resource sharing) is a more disciplined mechanism supported by all web browsers to handle cross-origin network accesses. In this talk we present our empirical study about the real-world uses of CORS. We find that the design, implementation, and deployment of CORS are subject to a number of new security issues: 1) CORS relaxes the cross-origin "write" privilege in a number of subtle ways that are problematic in practice; 2) CORS brings new forms of risky trust dependencies into web interactions; 3) CORS is generally not well understood by developers, possibly due to its inexpressive policy and its complex and subtle interactions with other web mechanisms, leading to various misconfigurations. Finally, we propose protocol simplifications and clarifications to mitigate the security problems uncovered in our study.

Presenters:

• Dr. Haixin Duan - professor at the Institute for Network Science and Cyberspace, Tsinghua University Jianjun Chen PhD student, Tsinghua University
  Dr. Haixin Duan is a professor at the Institute for Network Science and Cyberspace, Tsinghua University.He was once a visiting scholar at UC Berkeley and a senior scientist in International Computer Science Institute(ICSI). Dr. Duan has been working on network security for more than 20 years. His recent research interests include protocol security, intrusion detection, underground economy detection and etc. Some of his research results were deployed by industries like Baidu, and published in top security conferences like Security & Privacy, USENIX Security, CCS and NDSS. Jianjun Chen: is a PhD student at Tsinghua University supervised by Prof. Haixin Duan. In 2015, he visited UC Berkeley under the direction of Prof. Vern Paxson. Currently he has published three papers on top security conferences(NDSS, CCS, IEEE S&P). Among them, the NDSS paper on CDN forwarding loop attacks has won the conference's "Distinguished Paper Award". It is the first time that a Chinese scholar wins this award as the first author in top security conferences. His research work are not only recognized by the academic community, but also help many well-known industrial companies(eg. AKamai, Cloudflare, Tencent) and open-source software(eg. Squid) to fix multiple severe vulnerabilities.

Links:

• https://defcon.org/html/defcon-china/dc-cn-speakers.html#Duan
• https://infocon.org/cons/DEF CON/DEF CON China beta/DEF CON China beta videos/DEF CON China beta - Haikin Duan, Jianjun Chen - Hacking Intranet from Outside - Security Problems of Cross Origin Resource Sharing (CORS)(cn).mp4

Similar Presentations:

• DerbyCon 9.0 Finish Line (2019) / To CORS! The cause of, and solution to, your SPA problems!
• THOTCON 0xA (2019) / Of CORS it's Exploitable! What's Possible with Cross-Origin Resource Sharing?
• ToorCon San Diego 18 (2016) / The Subtleties of Bypassing the Same-Origin Policy and Exploiting Cross-Site Request Forgery