80 engineers, 150 deploys every week, sometimes several hundreds of AWS instances. In a startup environment maintaining a high level of security is a challenging task. Concepts, codebase and infrastructure are changing rapidly. We trust our fellow engineers, the languages they choose and the machines they fire up at their will. Fear of making mistakes can squash innovation and creativity. With that in mind we are continuously developing automated tools which detect risky changes without blocking anyone but make it possible to react quickly. We will go into details describing our methods and tools to detect changes which might lead to security issues. Be this change in our AWS infrastructure, in our codebase or at the OS level. Apart from the automated tools, we try to find other scalable ways of detecting issues. This is one of the main reasons we have launched our bug bounty program six months ago. The 100 submissions we got every month in average is a great indicator where we should improve the most. Besides fixing the issue itself we can use them as vulnerability patterns for our tools. This way we try to make sure that we are learning from our mistakes and we catch similar issues in the future as soon as possible. We would like to share our learnings – both personal and professional – which can be useful for other companies thinking about starting a bug bounty program. All in all we believe we are not the only ones facing similar challenges, so we would like to share our experience.

1. Gergely Revay
http://gerionsecurity.com
@geri_revay
Security implications of the Cross-Origin
Resource Sharing

2. Disclaimer
This presentation is purely my opinion and not at all
related to SIEMENS.
https://c1.staticflickr.com/1/21/27423135_082e7b5983.jpg

3. The Game

4. Agenda
●
What is CORS ?
●
Pre-CORS solutions
●
Attacker model
●
What's the problem?
●
Attack Scenarios
●
Solution
●
Demo

5. ●
Cross-Origin Resource Sharing
●
HTML5 feature
●
XmlHTTPRequest
●
Load content from another domain on the
client-side
What is CORS

6. What is CORS
Same-Origin Policy

7. Pre-CORS
●
Many different hacks
●
Proxy in same-origin
●
JSON-P
<script type="application/javascript"
src="http://server2.example.com/Users/1234?
jsonp=parseResponse">
</script>
HTML code:
parseResponse({"Name": "Foo", "Id": 1234, "Rank": 7});
Response Content:

8. How CORS works?
●
2 different request types:
– Simple request
– Not simple request
●
Browser makes the decision

9. The trick – simple request
Simple Request:Simple Request:
●
HEAD,GET or POST
●
Headers:
– Accept
– Accept-Language
– Content-Language
– Last-Event-ID
– Content-Type, but only if the value is
one of:
●
application/x-www-form-urlencoded
●
multipart/form-data
●
text/plain

10. The trick – NOT simple req

11. Preflight example
OPTIONS /cors HTTP/1.1
Origin: http://api.bob.com
Access-Control-Request-Method: PUT
Access-Control-Request-Headers: X-Custom-Header
Host: api.alice.com
Accept-Language: en-US
Connection: keep-alive
User-Agent: Mozilla/5.0
Access-Control-Allow-Origin: http://api.bob.com
Access-Control-Allow-Methods: GET, POST, PUT
Access-Control-Allow-Headers: X-Custom-Header
Content-Type: text/html; charset=utf-8
Preflight request:
Preflight response:

12. Attacker Model
c

13. Attacker Model
c

14. Attacker Model: Knowledge
Does he have internal knowledge ?
Internal External

15. Attacker Model: Goal
●
Get access to the internal network
●
Attack internal services
●
Steal data from the user.

16. Attacker Model: Location
Local Remote

17. What is the problem?

18. Attack scenarios
CORS is just a tool, not a vulnerability.

19. Attack scenarios: CSRF recap
c

20. Attack Scenarios
●
Multistage CSRF
●
Cross-domain data theft
●
Complex JavaScript attack scenarios
●
Pivoting (BeEF)
●
Network Enumeration
●
File upload CSRF

21. Example: File upload CSRF
-----------------------------256672629917035
Content-Disposition: form-data; name="file"; filename="test2.txt"
Content-Type: text/plain
test3
-----------------------------256672629917035

22. <html>
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "https://example.com/new_file.html", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "de-de,de;q=0.8,en-us;q=0.5,en;q=0.3");
xhr.setRequestHeader("Content-Type", "multipart/form-data;
boundary=---------------------------256672629917035");
xhr.withCredentials = "true";
var body = "-----------------------------256672629917035rn" +
"Content-Disposition: form-data; name="file"; filename="test2.txt"rn" +
"Content-Type: text/plainrn" +
"rn" +
"test3rn" +
"-----------------------------256672629917035--rn";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="submit" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>

23. Limitations
Pretty strong limitations

24. Limitations: Write only requests
XmlHttpResponse is not readable if:
●
No Access-Control-Allow-Origins header
●
Source origin is not allowed in A-C-Allow-
Origins
●
WithCredentials is true but A-C-A-O=*
Bear in mind: the requests are still sent!

25. Limitations: Preflight Req Fails
If one of the requirements of the pre-flight
request is not satisfied, the original request will
not be sent.
OPTIONS /cors HTTP/1.1
Origin: http://api.bob.com
Access-Control-Request-Method: PUT
Access-Control-Request-Headers: X-Custom-Header
Host: api.alice.com
Accept-Language: en-US
Connection: keep-alive
User-Agent: Mozilla/5.0

26. Solution
●
More awareness on the basics of CORS
●
Strict Allow-Origin settings
●
Rejecting Allow-Credential requests
●
Change of mindset: development problem

27. Hardening
Can and need to be done on various levels:
●
Webserver
●
Application

28. Hardening: Apache HTTPD
●
mod_headers
●
In config or .htaccess
●
<Directory>, <Location>, <Files> or
<VirtualHost>
Header set Access-Control-Allow-Origin “example.com”

29. Hardening: Application
Application logic should consider CORS and
set the appropriate headers.
i.e.: ASP .NET:
Response.AppendHeader(
"Access-Control-Allow-Origin",
"example.com");

30. DEMO
No animals were harmed in the making of these
demos.

31. Q & A
Thank you!
Gergely Revay
http://gerionsecurity.com
@geri_revay
Resources:
● http://www.w3.org/TR/cors/
● http://www.html5rocks.com/en/tutorials/cors/
● https://code.google.com/p/html5security/wiki/CrossOriginRequestSecurity
● https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS