4

Everyone says CORS doesn't do anything to defend against CSRF attacks. This is because CORS blocks outside domains from accessing (reading) resources on your domain -- but doesn't prevent the request from being processed. So evil sites can send state-changing DELETE requests, without caring that they can't read back the result.

That's all well and good.

Except for pre-flight CORS.

In this case, CORS looks at the request BEFORE it is sent, and checks whether it's legitimate. If it's not, the request is rejected.

So the DELETE request that the CSRF attacker tries to send fails the pre-flight check, and thus is rejected. The CSRF attack fails.

What am I missing here?

Community
  • 1
  • 1
ineedahero
  • 488
  • 2
  • 7
  • 22

1 Answers1

1

Pre-flight requests don't prevent CSRF in general. For example not all cross-domain ajax calls generate a pre-flight request, plain POSTs don't. There may be specific cases when pre-flight requests do indeed help to reduce the risk though.

Another problem is the same as with checking the referer/origin. While it is not possible for an attacker to override referer or origin in plain Javascript on a malicious website, it may be possibble to do so using a suitable browser plugin, like an old version of Flash for instance. If a browser plugin allows to do that, the attacker might be able to send cross-origin requests without a pre-flight. So you don't want to rely on pre-flight requests only.

Gabor Lengyel
  • 14,129
  • 4
  • 32
  • 59
  • "For example not all cross-domain ajax calls generate a pre-flight request, plain POSTs don't." Why not? – ineedahero Dec 14 '16 at 19:54
  • 1
    You don't need ajax to do a simple cross-origin post. You can use a plain form post too, so there wouldn't be much value in restricting that. – Gabor Lengyel Dec 14 '16 at 20:01
  • Oh. I see what you are saying. I was wondering that....why does CORS pre-flight get activated for PUT requests but not for POST requests? Since like you say POSTs can be just as dangerous.... – ineedahero Dec 14 '16 at 20:14
  • They can indeed. Even GETs can be dangerous if they change something on the server, which they should not of course, but it might be unintentional. In script languages like PHP or classic ASP, it's easy to write code that you intend to work upon a POST but also works with a GET because getting the parameters is generic. In this case GETs are also susceptible to CSRF, and cross-origin ajax GETs also don't generate a pre-flight. The reason is that a cross-origin GET can be achieved with a simple link. – Gabor Lengyel Dec 14 '16 at 20:27
  • 1
    Yes, but GETs are at least *expected* to be non-state-changing. Whereas POSTs are expected to change state. So why would pre-flight allow POSTs??? – ineedahero Dec 15 '16 at 01:11