5

Imagine the following scenario.

I maliciously manage to get my banner ad to appear on BankOfSouthernJakku.com. In this ad, I serve up some JavaScript that calls out to StealMyData.com. Since I own StealMyData.com, I add a CORS policy to allow access from BankOfSouthernJakku.com.

The JavaScript therefore sends the state of the banking app to my malicious site.

In this instance, how does CORS protect the user? Or am I completely misunderstanding what CORS does?

P.S. I did read this and this, but they don't address this particular issue.

AngryHacker
  • 59,598
  • 102
  • 325
  • 594
  • 1
    cors protects copyright more than users, or at least allows owner to opt-out of mechanical copyright enforcement. It's implications on security are fairly limited, as the most powerful attacks don't even use browsers. for exfiltration like you describe, where an opaque transfer is fine, CORS doesn't even come into play as you can IMG ping, hidden form submit, etc to get the private info off the site. – dandavis Nov 13 '18 at 21:59
  • 1
    The scenario you describe is not one the Same Origin Policy is designed to defend against. [XSS is a completely different class of attack](https://en.wikipedia.org/wiki/Cross-site_scripting). – Quentin Nov 13 '18 at 22:01
  • 1
    The point of CORS is that you can't steal the data from the website you're requesting. In your case, you're requesting `StealMyData.com` and CORS allows you to send and read it. However, what it won't let you is to make a call to `facebook.com` to get a list of friends for the logged in user. So yeah, if you manage to run code on their website, CORS doesn't matter, you could just send the request as an image request. Or even worse, make a call from any website to `BankOfSouthernJakku.com` using the user's cookies – Ruan Mendes Nov 13 '18 at 22:01
  • 6
    @dandavis — The Same Origin Policy (which CORS relaxes) does absolutely nothing related to copyright enforcement. – Quentin Nov 13 '18 at 22:01
  • Actually, they address it. It is the responsibility of the BankOfSouthernJakku to protect its own data. Same Origin Policy makes sure, that you cannot call BankOfSouthernJakku from another webpage and thus steel the data this way. If they are stupid enough to include third-party scripts to be executed, that's their decision and their stupidity. – Patrik Valkovič Nov 13 '18 at 22:03
  • 1
    it stops no-cost (to attackers) mashups/aggregation, which prevents a site like digg from simply ajaxing in other content and showing without ads or with new ads. it force the "stolen" content to come from a registered domain and thus a paper trail. Money is THE motivator on the web, and money comes from ads. we don't live in a technologically deterministic world. – dandavis Nov 13 '18 at 22:03
  • @dandavis — Deep linking just means linking to a specific page (i.e. not the homepage) of a site. It is unrelated to Ajax or CORS. – Quentin Nov 13 '18 at 22:04
  • @dandavis and how does that prevent anything? If you want service A to access your account B, give service A a token / your password. – Jonas Wilms Nov 13 '18 at 22:06
  • tech-minded people concern themselves with how, often forgetting the why. the SOP locked down content and preserved revenue streams, but stoped mashups and other useful constructions/applications. CORS allows a mostly safe way to bypass these restrictions. Without CORS, a potential pirate or benevolent nerd almost categorically needs a credit card to buy a domain to vouch for the content; he can't just give away a script that pulls in CNN and NTY headlines/stories w/o ads, w/o exposing himself to civil action. Yes, on the face CORS is all tech, but societies (commercial) needs underpin it. – dandavis Nov 13 '18 at 22:17
  • @dandavis "which prevents a site like digg from simply ajaxing in other content and showing without ads or with new ads" It does not - I AJAX your stuff - you send Access-Control-Allow-Origin: - I ignore it (Chrome --disable-web-security i.e.) It is a completely clientside only protection. The Client can 100% decide to ignore it. – Martin Eckleben Jul 20 '22 at 10:11
  • @MartinEckleben: sure, but do you think enough browsers are configured that way to allow a successful content re-hosting site, or would such a site simply not work for the vast majority of visitors? – dandavis Jul 20 '22 at 10:44
  • @dandavis No I mean I as digg would simply proxy. I fetch your stuff in my backend (curl etc.) ignoring CORS completely. And deliver it from my site as if it was mine. It protects users from XSS If I understand correctly. But it does not prevent content theft. – Martin Eckleben Jul 21 '22 at 08:17
  • @MartinEckleben re-serving from a backend would leave a paper and public trail to you via your registered domain name, so the folks you stole content from could legally stop you, which is exactly the point I was making. See how the domain is tied to a real single human to blame? whereas w/o SOP, a decentralized bookmarklet/pastebin/local HTML file would be difficult to stop from stealing content on behalf of plain old users, each request coming from a different IP... – dandavis Jul 21 '22 at 10:15

0 Answers0