0

Background:

  • My server domain is www.good.com, and CORS is not enabled
  • There is an API under 'test' controller, action name 'hello' (GET method), so the endpoint is www.good.com/api/test/hello
  • There's a mock malicious web call www.bad.com

Scenario:

  • www.bad.com sends a request to www.good.com/api/test/hello
  • Although bad website couldn't see the response on browser, yet the 'hello' action had been executed, and returned a full response.

My questions are:

  • If the CORS is not allowed, why does the .NET Core framework still let the request enters my action and produce a result? If the purpose of not allowing CORS is to prevent from cross site requests, why don't it just block the request before entering controller/action, so that we save the resource/performance on the server? (since it's not the request we need to handle)

  • If the response comes with the actual data in the body, it doesn't matter if the browser doesn't let you see the content or not, just use some tool like WireShark, you can still parse the content which might be the sensitive data that been returned by my action. Then CORS is protecting nothing, which is weird to me.

Bugman Huang
  • 183
  • 1
  • 7

1 Answers1

0

As I understand it, CORS isnt really protecting you from malicious calls. Its protecting the user from malicious sites.

Users use browsers. And the browser is preventing the actual call here.

Browsers are able to cope with cross site referencing and respect CORS headers. By issueing an pre flight optikns request, the actual call will be blocked. My guess is, this preflight options request is missing from you mocked request.

Note: you can always make a mallicious post with any kind of software and execute the request. The thing is: users tend to use browsers. Therefor one could make a site, which maliciously post data to your site, without the user knowing about it.

Or as wikipedia states it:

Although some validation and authorization can be performed by the server, it is generally the browser's responsibility to support these headers and honor the restrictions they impose.

So concluding: I think it doesnt check the origin by itself out of the box, and; I dont know the details of you mock setup, but it seems its not an actual browser call. .... if it is... than thats very interresting; please show the mocked call

Stefan
  • 17,448
  • 11
  • 60
  • 79