-
Notifications
You must be signed in to change notification settings - Fork 10k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CORS security: reflecting any origin header value when configured to * is dangerous #3106
Comments
Hi, is there something I forget to do to advance this report? Thanks, |
I think the right people need to be pinged: @blowdart (also because i know he loves the attention) |
We've been looking at this. So yes, in theory it can do ugly things, if you end up reflecting the origin header, and you don't encode it, and it's reflected in the body. Which is pretty hard to do unless you end up using Html.Raw. Having said that we're looking at actually validating the incoming header to at least ensure it's a valid host, in terms of character validation, and ensuring you can't do * and allow credentials. We do default to not allowing credentials, so we don't exhibit one of the problems you linked to, because it's only dangerous with allow credentials and *. We do have folks going through the portswigger blog to see if we can make the API safer and help to avoid some of that misconfiguration. |
Hi Barry, thanks a lot for your reply. Yeah, setting credentials to false by default can reduce misconfigurations, but the point I want to say here is that, converting Current CORS standards(both W3C CORS and WHATWG fetch standard) have a clear definition for the wildcard *, which means any domain is allowed. But they also have another important security requirement: If a framework actively converts * to reflect any origin header value, it means Therefore, I suggest frameworks to follow the standard definition of *. When a user configures Thanks, |
Makes sense, we'll come back when we've poked and prodded some more. |
I think he has a valid point and I think it'd a change for the better. But I imagine you'll get some pushback from folks that don't care/understand the subtleties. Also, it's technically a breaking change, but maybe that's ok for security reasons (I think it is :)). |
Yea this might have to wait till 3.0 because it's a breaking change |
Thanks for your reply. FYI, here are some more similar issues: |
As part of aspnet/CORS@2690a3f, for 2.2.0, a) start responding with wildcard origin ( For 3.0, as part of #3452, we can throw an error when building the policy that prevents this configuration. |
Isn't this a breaking change? I understand it is security change, but as it returns * instead of convert to request's origin value, it breaks client side code. From version number, it is cors 2.2 package. If it is breaking change, it should be in 3.0 not 2.2 right? How come this got passed and deployed to 2.2 package? Personally I can get around this, since it happened on non production ready projects. I believe this should be noted down inside release note as breaking change. Am I correct? Unless I missed, inside migration from 2.1 to 2.2 documentation, it didn't mention this breaking change. |
Yup, I'll get this added to the migration notes. |
Well if sending credentials from any origin is dangerous, then we should at least be able to turn them off. But in the javascript SignalR client, credentials are hardcoded to true in XhrHttpClient.ts. Am I missing some sort of workaround? I don't know the origins that users will be connecting from. Edit: I can also confirm that changing that line to |
Sending credentials from arbitrary origins is the source of the vulnerability. Limiting it to a well-known list of origins should work. I haven't gotten around to diving in to this further, but I don't have a recommendation for allowing credentials from arbitrary origins as yet. |
When CORS policy is configured to
WithOrigins("*")
, asp.net CORS will actively convert it to reflect any Origin header value. This kind of behavior is dangerous and has caused many security problems in the past.Some similar security issues:
cyu/rack-cors#126
https://nodesecurity.io/advisories/148
Some related blog posts:
https://ejj.io/misconfigured-cors/
http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html
The text was updated successfully, but these errors were encountered: