Home
Forums
New posts
Search forums
What's new
New posts
New profile posts
Latest activity
Members
Current visitors
New profile posts
Search profile posts
Log in
Register
What's new
Search
Search
Search titles only
By:
New posts
Search forums
Menu
Log in
Register
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Home
Forums
CARDING & HACKING
HOSTING & BOTNET
What is CORS and how does it help you avoid having your money stolen?
Message
<blockquote data-quote="Ghosthunter" data-source="post: 554" data-attributes="member: 6"><p>In this article, we will explain what the CORS policy is and what CORS is in general, as well as how it is useful for developers.</p><p></p><p><img src="https://www.securitylab.ru/upload/iblock/610/0mmx5cau1tmsx23suvow07z6e63429hm.jpg" alt="0mmx5cau1tmsx23suvow07z6e63429hm.jpg" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p>For modern web applications, downloading resources from multiple domains is a common practice. These resources are accessed using CORS technology. For example, if you need to get user information on your site "<a href="http://www.mysite.com/" target="_blank">www.mysite.com</a>" from a server located on the site "api.website.com", you must send a request to the server and get a response in the form of JSON data.</p><p></p><p><img src="https://www.securitylab.ru/upload/medialibrary/a81/386buxg7ombvsv57qep0x3wtsxnlrz8z.png" alt="386buxg7ombvsv57qep0x3wtsxnlrz8z.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p><strong>What is CORS?</strong></p><p><strong>sharing resources between different sources</strong> <strong>–</strong> <strong>CORS (Cross-Origin Resource Sharin)</strong> is a mechanism that grants permissions to upload resources from one source to another, while maintaining the integrity of the site and protecting it from unauthorized access. Modern browsers use this to determine which cross-site requests are secure.</p><p></p><p><img src="https://www.securitylab.ru/upload/medialibrary/308/xz40p7mtpp64gi2g7x7mg0id35p8jqkf.png" alt="xz40p7mtpp64gi2g7x7mg0id35p8jqkf.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p>For security reasons, browsers restrict access from scripts to other resources that exist outside their domain, using <strong>the Same-Origin</strong> Policy. This policy protects against identity theft from other web servers or Cross-Site Request Forgery (CSRF) attacks.</p><p></p><p><img src="https://www.securitylab.ru/upload/medialibrary/c42/8wfx77hwb40is22sg4n5kzaiqa3g6fk4.png" alt="8wfx77hwb40is22sg4n5kzaiqa3g6fk4.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p><img src="https://www.securitylab.ru/upload/medialibrary/594/enxp9dezl0vcv74yljxc50k1wr9qnh9u.png" alt="enxp9dezl0vcv74yljxc50k1wr9qnh9u.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p>In this case, one source, the attacker's site, tries to access the resource from the source – the online banking site. The Same-Origin Policy blocks a cybercriminal from accessing your banking data.</p><p>However, domain restriction rules restrict specialists from accessing resources from different sources. This is why the CORS HTTP protocol was developed to tell the browser that limited resources on a web page can be requested from other domains.</p><p></p><p>For example, here is a possible scenario for requesting information from an external source, such as an API (common practice for client-side JavaScript code):</p><ol> <li data-xf-list-type="ol">The resource source makes a preliminary request to an external web server using CORS headers;</li> <li data-xf-list-type="ol">The external web server then checks this preliminary request to make sure that scripts are allowed to make the request.;</li> <li data-xf-list-type="ol">After verification, the external web server responds with its own set of HTTP headers that define valid request methods, sources, and custom headers. The server response may also include information about whether it is acceptable to transmit credentials, such as authentication headers.</li> </ol><p></p><p><strong>Why do ICORS?</strong></p><p>If you want to use resources from a server other than your own, you will need to use CORS.</p><p></p><p>Some examples of what you can do with CORS include:</p><ul> <li data-xf-list-type="ul">Using web fonts or style sheets (Google Fonts or Typekit) from a remote domain;</li> <li data-xf-list-type="ul">Specifying users ' location on the map via the Google Map API:<br /> <em><a href="https://maps.googleapis.com/maps/api/js;" target="_blank">https://maps.googleapis.com/maps/api/js;</a></em></li> <li data-xf-list-type="ul">Displaying tweets from the Twitter<br /> API handle:<br /> <em><a href="https://api.twitter.com/xxx/tweets/xxxxx;" target="_blank">https://api.twitter.com/xxx/tweets/xxxxx;</a></em></li> <li data-xf-list-type="ul">Using a Headless CMS for Content management;</li> <li data-xf-list-type="ul">Access to any API hosted on another domain or subdomain.</li> </ul><p></p><p><strong>How does CORS work?</strong></p><p>CORS starts when a script from one source sends a request to another source. All this is controlled by a pre-request that exchanges HTTP request headers and response headers, which are called "CORS headers".</p><p>Let's take a closer look at how preliminary queries work.</p><p></p><p><strong>Preliminary request</strong></p><p>A preflight request is an additional HTTP request using the "OPTIONS" method. The browser does this for every insecure request that is intended to modify data, such as POST, PUT, or DELETE requests.</p><p></p><p><img src="https://www.securitylab.ru/upload/medialibrary/25d/5objbbm71lnweww3oqwysycx9vs9wcy2.png" alt="5objbbm71lnweww3oqwysycx9vs9wcy2.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p>A pre-request is standard behavior for modern web browsers. The expected response from the app is a response containing CORS headers with the correct instructions.</p><p>Example of a preliminary request:</p><p></p><p><img src="https://www.securitylab.ru/upload/medialibrary/e34/mpb0jmvwy4vsusxqj77epbt9ewb1unuy.png" alt="mpb0jmvwy4vsusxqj77epbt9ewb1unuy.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p>Here we see several specific HTTP headers. These are some of the most common CORS headers used in browser requests and server responses:</p><ul> <li data-xf-list-type="ul">Access-Control-Allow-Origin</li> <li data-xf-list-type="ul">Access-Control-Allow-Methods</li> <li data-xf-list-type="ul">Access-Control-Allow-Headers</li> </ul><p>Let's take a closer look at how these CORS headers work.</p><p></p><p><strong>Access-Control-Allow-Origin</strong></p><p>Imagine the following scenario: I want to allow an application hosted on</p><p><em><a href="https://mywebsite.com/" target="_blank">https://mywebsite.com</a></em></p><p>, access to the resource.</p><p></p><p>In this case, I need to specify the following:</p><p>Access-Control-Allow-Origin: <a href="https://mywebsite.com/" target="_blank">https://mywebsite.com</a></p><p>In addition, adding a custom <strong>Access-Control-Allow-Origin</strong> header to object stores such as AWS S3 or Google Storage will optimize throughput, optimize resource usage, and speed up data retrieval.</p><p><strong>Access-Control-Allow-Origin</strong> can also be used if another site completely copies yours, which negatively affects your site's SEO. This way, your website content will not be displayed on the mirror site. But you can also file a DMCA Takedown Notice to remove your content from another site, because an attacker can bypass the Access-Control-Allow-Origin policy by using a proxy server.</p><p></p><p><strong>Security issues with Access-Control-Allow-Origin</strong></p><p>Quite often, you can find applications that use this notation for <strong>Access-Control-Allow-Origin:</strong></p><p><strong></strong></p><p><strong><img src="https://www.securitylab.ru/upload/medialibrary/b77/p3kwzik20zedpefn8fz3oy72g3gukle1.png" alt="p3kwzik20zedpefn8fz3oy72g3gukle1.png" class="fr-fic fr-dii fr-draggable " style="" /></strong></p></blockquote><p></p>
[QUOTE="Ghosthunter, post: 554, member: 6"] In this article, we will explain what the CORS policy is and what CORS is in general, as well as how it is useful for developers. [IMG alt="0mmx5cau1tmsx23suvow07z6e63429hm.jpg"]https://www.securitylab.ru/upload/iblock/610/0mmx5cau1tmsx23suvow07z6e63429hm.jpg[/IMG] For modern web applications, downloading resources from multiple domains is a common practice. These resources are accessed using CORS technology. For example, if you need to get user information on your site "[URL='http://www.mysite.com/']www.mysite.com[/URL]" from a server located on the site "api.website.com", you must send a request to the server and get a response in the form of JSON data. [IMG alt="386buxg7ombvsv57qep0x3wtsxnlrz8z.png"]https://www.securitylab.ru/upload/medialibrary/a81/386buxg7ombvsv57qep0x3wtsxnlrz8z.png[/IMG] [B]What is CORS? sharing resources between different sources[/B] [B]–[/B] [B]CORS (Cross-Origin Resource Sharin)[/B] is a mechanism that grants permissions to upload resources from one source to another, while maintaining the integrity of the site and protecting it from unauthorized access. Modern browsers use this to determine which cross-site requests are secure. [IMG alt="xz40p7mtpp64gi2g7x7mg0id35p8jqkf.png"]https://www.securitylab.ru/upload/medialibrary/308/xz40p7mtpp64gi2g7x7mg0id35p8jqkf.png[/IMG] For security reasons, browsers restrict access from scripts to other resources that exist outside their domain, using [B]the Same-Origin[/B] Policy. This policy protects against identity theft from other web servers or Cross-Site Request Forgery (CSRF) attacks. [IMG alt="8wfx77hwb40is22sg4n5kzaiqa3g6fk4.png"]https://www.securitylab.ru/upload/medialibrary/c42/8wfx77hwb40is22sg4n5kzaiqa3g6fk4.png[/IMG] [IMG alt="enxp9dezl0vcv74yljxc50k1wr9qnh9u.png"]https://www.securitylab.ru/upload/medialibrary/594/enxp9dezl0vcv74yljxc50k1wr9qnh9u.png[/IMG] In this case, one source, the attacker's site, tries to access the resource from the source – the online banking site. The Same-Origin Policy blocks a cybercriminal from accessing your banking data. However, domain restriction rules restrict specialists from accessing resources from different sources. This is why the CORS HTTP protocol was developed to tell the browser that limited resources on a web page can be requested from other domains. For example, here is a possible scenario for requesting information from an external source, such as an API (common practice for client-side JavaScript code): [LIST=1] [*]The resource source makes a preliminary request to an external web server using CORS headers; [*]The external web server then checks this preliminary request to make sure that scripts are allowed to make the request.; [*]After verification, the external web server responds with its own set of HTTP headers that define valid request methods, sources, and custom headers. The server response may also include information about whether it is acceptable to transmit credentials, such as authentication headers. [/LIST] [B]Why do ICORS?[/B] If you want to use resources from a server other than your own, you will need to use CORS. Some examples of what you can do with CORS include: [LIST] [*]Using web fonts or style sheets (Google Fonts or Typekit) from a remote domain; [*]Specifying users ' location on the map via the Google Map API: [I][URL]https://maps.googleapis.com/maps/api/js;[/URL][/I] [*]Displaying tweets from the Twitter API handle: [I][URL]https://api.twitter.com/xxx/tweets/xxxxx;[/URL][/I] [*]Using a Headless CMS for Content management; [*]Access to any API hosted on another domain or subdomain. [/LIST] [B]How does CORS work?[/B] CORS starts when a script from one source sends a request to another source. All this is controlled by a pre-request that exchanges HTTP request headers and response headers, which are called "CORS headers". Let's take a closer look at how preliminary queries work. [B]Preliminary request[/B] A preflight request is an additional HTTP request using the "OPTIONS" method. The browser does this for every insecure request that is intended to modify data, such as POST, PUT, or DELETE requests. [IMG alt="5objbbm71lnweww3oqwysycx9vs9wcy2.png"]https://www.securitylab.ru/upload/medialibrary/25d/5objbbm71lnweww3oqwysycx9vs9wcy2.png[/IMG] A pre-request is standard behavior for modern web browsers. The expected response from the app is a response containing CORS headers with the correct instructions. Example of a preliminary request: [IMG alt="mpb0jmvwy4vsusxqj77epbt9ewb1unuy.png"]https://www.securitylab.ru/upload/medialibrary/e34/mpb0jmvwy4vsusxqj77epbt9ewb1unuy.png[/IMG] Here we see several specific HTTP headers. These are some of the most common CORS headers used in browser requests and server responses: [LIST] [*]Access-Control-Allow-Origin [*]Access-Control-Allow-Methods [*]Access-Control-Allow-Headers [/LIST] Let's take a closer look at how these CORS headers work. [B]Access-Control-Allow-Origin[/B] Imagine the following scenario: I want to allow an application hosted on [I][URL='https://mywebsite.com/']https://mywebsite.com[/URL][/I] , access to the resource. In this case, I need to specify the following: Access-Control-Allow-Origin: [URL='https://mywebsite.com/']https://mywebsite.com[/URL] In addition, adding a custom [B]Access-Control-Allow-Origin[/B] header to object stores such as AWS S3 or Google Storage will optimize throughput, optimize resource usage, and speed up data retrieval. [B]Access-Control-Allow-Origin[/B] can also be used if another site completely copies yours, which negatively affects your site's SEO. This way, your website content will not be displayed on the mirror site. But you can also file a DMCA Takedown Notice to remove your content from another site, because an attacker can bypass the Access-Control-Allow-Origin policy by using a proxy server. [B]Security issues with Access-Control-Allow-Origin[/B] Quite often, you can find applications that use this notation for [B]Access-Control-Allow-Origin: [IMG alt="p3kwzik20zedpefn8fz3oy72g3gukle1.png"]https://www.securitylab.ru/upload/medialibrary/b77/p3kwzik20zedpefn8fz3oy72g3gukle1.png[/IMG][/B] [/QUOTE]
Name
Verification
Post reply
Home
Forums
CARDING & HACKING
HOSTING & BOTNET
What is CORS and how does it help you avoid having your money stolen?
Top