While cross-origin resource sharing (CORS) is a great way to enable open access across domain boundaries, it’s critical to test CORS requests as part of your web application security protocols. Without the proper testing, your site is at risk of security breaches.
As Mozilla’s MDN Web Docs resource explains, “CORS is a mechanism that uses additional HTTP headers to let a user agent gain permission to access selected resources from a server on a different origin (domain) than the site currently in use.”
Cross-origin resources that may be embedded on a web page include images, CSS style sheets and scripts. As a more specific example, you could embed a Google map that shows all of your company’s locations.
How CORS Works At A Basic Level
CORS defines how a browser and a server interact to determine if it’s safe to allow the cross-origin request. HTTP headers permit the browser and server to request remote URLs, with the browser being primarily responsible for supporting the headers and honoring any restrictions. CORS offers more freedom than same-origin requests, and more security than allowing all cross-origin requests.
A post on the PortSwigger Web Security blog outlines the process in more detail, explaining how a website would enable CORS by sending this HTTP response header: Access-Control-Allow-Origin: https://example.com. The server then enables the credential transmission, which would ordinarily be blocked, with this header: Access-Control-Allow-Credentials: true.
As a result, a trust relationship is created, and “an XSS vulnerability on example.com is bad news for this site.” That’s because an attacker could steal cookies and credentials.
Why Web Application Security Is So Important
It’s important to verify that browsers are configured properly and not vulnerable to additional XSS attacks. You want to identify problems that you can remediate to prevent security breaches.
In particular, an XSS attack could redirect a user to a malicious site. For instance, in the example with the map mentioned above, an attacker might redirect users to a “fake” page instead of the Google map.
As a part of the process of building and testing web applications, you need to make sure that any shared resources are secure and that HTTP headers haven’t been tampered with. A CORS exploitation affects your customers because people lose trust in your company when they’re redirected to potentially malicious sites. The consequences are even more severe if sensitive data is compromised.
Whether you have a small business or a large enterprise, safeguarding your company’s reputation is essential. That’s why the testing of CORS requests needs to be included in your web application security protocols.
Ready to learn more about how you can protect your network? Discover three reasons you need internal penetration testing in addition to external testing.