1

It is common to say that CORS headers protect against CSRF, so that if you visit a malicious website, it cannot make a request to your web application because the referer header (the URL of the malicious website) wouldn't be allowed by the CORS header.

But then the malicious website only needs to do a request first to a webserver that will pass the request to your website with the referer header changed.

If it is so easy to do the CSRF bypass CORS, then it's correct to say that CORS headers do nothing against CSRF. And if it does not prevent CSRF what is it useful for?

mentallurg
  • 12,418
  • 5
  • 36
  • 50
Vitor Figueredo Marques
  • 129
  • 4
  • 3
    You have it backwards. By default, browsers enforce Same Origin Policy (SOP), which prevents resources from one origin from interacting with resources from another origin, which would open the door to various XSS attacks. However, in some cases, it is desirable to allow this type of interaction, which is why we have CORS. CORS is used to relax SOP. See https://security.stackexchange.com/questions/8264/why-is-the-same-origin-policy-so-important for more info. – mti2935 Apr 16 '23 at 13:25
  • 3
    @mti2935 Exactly! So many people (including security "experts") get it wrong. Incidentally, I could use some help convincing this answerer... – jub0bs Apr 16 '23 at 13:41
  • https://security.stackexchange.com/a/270591/252758 – Mihail H. Jun 05 '23 at 20:26

1 Answers1

1

What you describe will not work, because the attacker's server does not have authentication information and its requests will be rejected by the application.

In the normal case, when attacker's script calls the application directly, browser sends automatically all the cookies related to the application domain, including authentication cookies (e.g. session ID or JWT). But they will not be sent to the attacker's server. That's why the requests of the attacker's server to the application will have authentication info.

The only exception is the case, when the attacker uses a subdomain or a sibling domain and application cookies are configured to be visible to subdomains or sibling domains. The success of such attack depends on how well the company controls the hosts behinds its subdomains.

Back to your question: Yes, it is easy to bypass CORS in your scenario, but requests will be rejected, because authentication cookies will be missing. Thus, it will not help to break CSRF protection.

mentallurg
  • 12,418
  • 5
  • 36
  • 50
  • 1
    in reality all such such domains are usually controlled by a single organization and the probability of such attack is very low. Quite debatable. A single XSS or subdomain takeover on a subdomain is all it takes, and many companies don't scrutinise the security of their subdomains. – jub0bs Apr 16 '23 at 13:39
  • 1
    @jub0bs: "subdomain takeover on a subdomain is all it takes" - Do you mean it is easy? Then please tell us how many cases of taking of subdomains of Google, Facebook or Amazon you know. – mentallurg Apr 16 '23 at 14:01
  • 1
    I'm not sure what you're referring to as "easy", but both detection and exploitation tend to be easy enough that bug-bounty hunters can automate them. Besides, many companies, including some big names, have seen their subdomains taken over. Though I can't disclose which one, yes, I have personally taken over a subdomain of a domain owned by Amazon; and this subdomain takeover of an xbox.com subdomain is public knowledge. Not trying to flex; just trying to convey the sense that subdomain takeovers are quite common. – jub0bs Apr 16 '23 at 14:08
  • 1
    Besides, in my experience, an instance of XSS on some obscure/forgotten subdomain is very common and often proves valuable to complete a bug chain, including exploiting some CORS misconfiguration. – jub0bs Apr 16 '23 at 14:10
  • 1
    @jub0bs: Then I don't understand what you mean by "is all it takes". – mentallurg Apr 16 '23 at 14:17
  • 1
    @jub0bs: "an instance of XSS on some obscure/forgotten subdomain is very common" - I don't understand what do you want to say. Weak passwords are also very common. So what? – mentallurg Apr 16 '23 at 14:21
  • 1
    I'm merely putting into question your claim: in reality all such such domains are usually controlled by a single organization and the probability of such attack is very low. – jub0bs Apr 16 '23 at 14:24
  • Let us continue this discussion in chat. – mentallurg Apr 16 '23 at 14:44