Want to learn more about CORS? Check out CORS in Action: Creating and consuming cross-origin APIs.
Thanks to Jens Mueller, I was alerted to this issue. He was kind enough to send me the email below:
Basically, the regular expressions I was using to allow CORS access were broken. I needed to modify them to only allow https access, and ensure that only domains that ended in bloopist.com should be allowed.
Testing for CORS Vulnerabilities
To test which origins were allowed by my CORS configuration, I used a simple curl command:
curl -H "Origin: https://bloopist.com.evil.com" --verbose https://bloopist.com 2>&1 | grep Origin
This command let me pick the origin that I wanted to pretend to be and printed out any header lines that included the word "Origin". From that, I could see if the server was sending back an Access-Control-Allow-Origin string that would allow attacks from other domains or not.
Before implementing my fixed CORS whitelist, I'd get outputs from curl like the one below.
$ curl -H "Origin: https://bloopist.com.evil.com" --verbose https://bloopist.com 2>&1 | grep Origin > Origin: https://bloopist.com.evil.com < Access-Control-Allow-Origin: https://bloopist.com.evil.com < Vary: Origin
Protecting CORS Access
I updated my CORS regular expression to force https, allow either a subdomain of bloopist.com or the bare domain by itself, and to force the origin to end with bloopist.com. I use Rack::Cors in my Ruby on Rails applications, and I configured it like this:
# Access-Control-Allow-Origin config.middleware.insert_before 0, Rack::Cors do allow do if Rails.env == "development" origins('*') elsif Rails.env == "production" origins(/\Ahttps:\/\/(.*?\.|)bloopist\.com\z/) end resource '*', :headers => :any, :methods => :any end end
After updating my configuration, I double checked which origins were allowed CORS access. Domains other than bloopist.com are no longer allowed access. However, I was unable to figure out how to make curl indicate that it was coming from the null origin, so I was unable to test that that particular vulnerability was closed.
|Attacker Origin||Allowed Before?||Allowed After?|
Do you know how to get curl to use the null origin? Did you find this information helpful? Let me know in the comments.