Home
Forums
New posts
Search forums
What's new
New posts
New profile posts
Latest activity
Members
Current visitors
New profile posts
Search profile posts
Log in
Register
What's new
Search
Search
Search titles only
By:
New posts
Search forums
Menu
Log in
Register
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Home
Forums
CARDING & HACKING
HOSTING & BOTNET
What is CORS and how does it help you avoid having your money stolen?
Message
<blockquote data-quote="Ghosthunter" data-source="post: 555" data-attributes="member: 6"><p>The " * " character tells the browser to allow access to the resource from any source, effectively disabling the <strong>Same-Origin Policy</strong>. This means that the browser will not filter sources. Any code on any site can make a request to the resource (including malicious domains).</p><p>In addition, the "*" symbol is widely used by hackers, especially for web skimmers. AJAX requests are sent from checkout pages on hacked sites to malicious servers that transmit stolen payment details.</p><p>For example, this JavaScript skimmer uses a request from different sources with the corresponding CORS headers to send stolen data to a third-party server.</p><p></p><p><img src="https://www.securitylab.ru/upload/medialibrary/9af/brm3usg9i1d5dtk1yhwzcbp1a7d10fjw.png" alt="brm3usg9i1d5dtk1yhwzcbp1a7d10fjw.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p>Part of the JavaScript credit card skimmer exfiltration.</p><p>Here is an example of the CORS headers used for the web skimmer exfiltration URL:</p><p></p><p><img src="https://www.securitylab.ru/upload/medialibrary/c48/buep6476tdkn9aa9n2wwcjg4e3ajlu8t.png" alt="buep6476tdkn9aa9n2wwcjg4e3ajlu8t.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p>Basically, hackers use these CORS headers with " * " on their servers to get data from any hacked websites. This way, if you also use CORS headers with " * " for any server responses, you make it easier for attackers to use your sites to steal data.</p><p></p><p><strong>Access-Control-Allow-Methods</strong></p><p>When developing a RESTful API, most endpoints will accept the GET, POST, PUT, PATCH, and DELETE methods.</p><p>You can use the <strong>Access-Control-Allow-Methods</strong> header to specify exactly which HTTP methods your application should provide to external sources. This can help reduce the risk of any unwanted activity in your environment.</p><p></p><p><img src="https://www.securitylab.ru/upload/medialibrary/f57/alcsgwvs38egg8neq9ah7ala1fl5txa2.png" alt="alcsgwvs38egg8neq9ah7ala1fl5txa2.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p>This header reserves the use of POST, PUT, PATCH, and any type of HTTP method that is used to modify the content of an application in your domain. This allows external applications to use read-only GET requests for resources.</p><p></p><p><strong>Access-Control-Allow-Headers</strong></p><p>The purpose of the <strong>Access-Control-Allow-Headers header</strong> is to allow custom headers. For example, an app that uses "X-My-Header" must respond to a preliminary request with this header in its permission list.</p><p></p><p><img src="https://www.securitylab.ru/upload/medialibrary/031/sy7649cx6e1qxqjy1stbfzdinqlwfb3r.png" alt="sy7649cx6e1qxqjy1stbfzdinqlwfb3r.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p>If the title is not allowed, the developer console displays the following error::</p><p>X header field authorization is not allowed by Access-Control-Allow-Headers in preflight response.</p><p></p><p><strong>How do I enable CORS on my server?</strong></p><p>You can easily change the CORS settings on any Apache server by modifying the ".htaccess " file.</p><ol> <li data-xf-list-type="ol">Open a file manager or sFTP;</li> <li data-xf-list-type="ol">Go to the directory of your website;</li> <li data-xf-list-type="ol">Open your ".htaccess" file or create a new one;</li> <li data-xf-list-type="ol">Include the CORS directives in the file content.</li> </ol><p></p><p><img src="https://www.securitylab.ru/upload/medialibrary/19b/ky7ehsgh6km456jsiv0d9po84hhhfpxx.png" alt="ky7ehsgh6km456jsiv0d9po84hhhfpxx.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p>For NGINX users, enabling CORS is done using the main Headers module.</p><p></p><p><img src="https://www.securitylab.ru/upload/medialibrary/e03/8r6o3ezjd76zeeck4fc9py7a4i3e1fzt.png" alt="8r6o3ezjd76zeeck4fc9py7a4i3e1fzt.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p><strong>How to enable CORS on WordPress</strong></p><p><strong>1. Configure the CORS header function</strong></p><p>Add the following code to the file "functions.php".</p><p></p><p><img src="https://www.securitylab.ru/upload/medialibrary/766/y5rdp4eav5sqp5nf7kfdpmreq366u38i.png" alt="y5rdp4eav5sqp5nf7kfdpmreq366u38i.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p>Here you can check whether your environment is in working mode. If so, the value of "$origin_url" will change to your current domain.</p><p></p><p><strong>2. Enable the CORS feature</strong></p><p>Add the following action "rest_api_init". It is added directly below the "initCors" function that we just created.</p><p></p><p><img src="https://www.securitylab.ru/upload/medialibrary/acf/zyv97vcdvksbtdlb8ldghvlhbs1we4o3.png" alt="zyv97vcdvksbtdlb8ldghvlhbs1we4o3.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p><strong>3. Allow support for multiple sources</strong></p><p>If you want to add support for multiple sources, create an array of allowed sources.</p><p></p><p><img src="https://www.securitylab.ru/upload/medialibrary/618/madd658liv6904iux6vja7lngpaexaxd.png" alt="madd658liv6904iux6vja7lngpaexaxd.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p><strong>How do I avoid using CORS?</strong></p><p>Working with CORS may complicate your setup. You can always bypass CORS by adding a proxy server between your web server and the API, which gives the impression that requests come and go from the same domain. However, this should only be used as a temporary solution during development.</p><p></p><p></p><p></p><p></p><p><strong>Website Security with CORS</strong></p><p>CORS is a way to improve the client-side protection of your web application, but it can't be used as the only layer of protection.</p><p>It is worth noting that CORS does not protect against cross-site scripting (XSS), and if configured incorrectly, it can make your site vulnerable to attacks. It is not difficult for an attacker to directly fake a request from any trusted source, so you need to implement server-side security rules.</p><p></p><p>Apply the following security measures for your site:</p><ul> <li data-xf-list-type="ul">do not use the wildcard character " * " to prevent each loaded script from linking to the resource.;</li> <li data-xf-list-type="ul">check all access control request headers against the appropriate access lists;</li> <li data-xf-list-type="ul">try a simple but secure string comparison with an array of trusted values to reduce the risk.;</li> <li data-xf-list-type="ul">use as many levels of protection as possible;</li> <li data-xf-list-type="ul">regularly apply updates with software vulnerability fixes;</li> <li data-xf-list-type="ul">configure access control rules;</li> <li data-xf-list-type="ul">use the website's firewall.</li> </ul><p></p><p>(c) <a href="https://www.securitylab.ru/analytics/536143.php" target="_blank">https://www.securitylab.ru/analytics/536143.php</a></p></blockquote><p></p>
[QUOTE="Ghosthunter, post: 555, member: 6"] The " * " character tells the browser to allow access to the resource from any source, effectively disabling the [B]Same-Origin Policy[/B]. This means that the browser will not filter sources. Any code on any site can make a request to the resource (including malicious domains). In addition, the "*" symbol is widely used by hackers, especially for web skimmers. AJAX requests are sent from checkout pages on hacked sites to malicious servers that transmit stolen payment details. For example, this JavaScript skimmer uses a request from different sources with the corresponding CORS headers to send stolen data to a third-party server. [IMG alt="brm3usg9i1d5dtk1yhwzcbp1a7d10fjw.png"]https://www.securitylab.ru/upload/medialibrary/9af/brm3usg9i1d5dtk1yhwzcbp1a7d10fjw.png[/IMG] Part of the JavaScript credit card skimmer exfiltration. Here is an example of the CORS headers used for the web skimmer exfiltration URL: [IMG alt="buep6476tdkn9aa9n2wwcjg4e3ajlu8t.png"]https://www.securitylab.ru/upload/medialibrary/c48/buep6476tdkn9aa9n2wwcjg4e3ajlu8t.png[/IMG] Basically, hackers use these CORS headers with " * " on their servers to get data from any hacked websites. This way, if you also use CORS headers with " * " for any server responses, you make it easier for attackers to use your sites to steal data. [B]Access-Control-Allow-Methods[/B] When developing a RESTful API, most endpoints will accept the GET, POST, PUT, PATCH, and DELETE methods. You can use the [B]Access-Control-Allow-Methods[/B] header to specify exactly which HTTP methods your application should provide to external sources. This can help reduce the risk of any unwanted activity in your environment. [IMG alt="alcsgwvs38egg8neq9ah7ala1fl5txa2.png"]https://www.securitylab.ru/upload/medialibrary/f57/alcsgwvs38egg8neq9ah7ala1fl5txa2.png[/IMG] This header reserves the use of POST, PUT, PATCH, and any type of HTTP method that is used to modify the content of an application in your domain. This allows external applications to use read-only GET requests for resources. [B]Access-Control-Allow-Headers[/B] The purpose of the [B]Access-Control-Allow-Headers header[/B] is to allow custom headers. For example, an app that uses "X-My-Header" must respond to a preliminary request with this header in its permission list. [IMG alt="sy7649cx6e1qxqjy1stbfzdinqlwfb3r.png"]https://www.securitylab.ru/upload/medialibrary/031/sy7649cx6e1qxqjy1stbfzdinqlwfb3r.png[/IMG] If the title is not allowed, the developer console displays the following error:: X header field authorization is not allowed by Access-Control-Allow-Headers in preflight response. [B]How do I enable CORS on my server?[/B] You can easily change the CORS settings on any Apache server by modifying the ".htaccess " file. [LIST=1] [*]Open a file manager or sFTP; [*]Go to the directory of your website; [*]Open your ".htaccess" file or create a new one; [*]Include the CORS directives in the file content. [/LIST] [IMG alt="ky7ehsgh6km456jsiv0d9po84hhhfpxx.png"]https://www.securitylab.ru/upload/medialibrary/19b/ky7ehsgh6km456jsiv0d9po84hhhfpxx.png[/IMG] For NGINX users, enabling CORS is done using the main Headers module. [IMG alt="8r6o3ezjd76zeeck4fc9py7a4i3e1fzt.png"]https://www.securitylab.ru/upload/medialibrary/e03/8r6o3ezjd76zeeck4fc9py7a4i3e1fzt.png[/IMG] [B]How to enable CORS on WordPress 1. Configure the CORS header function[/B] Add the following code to the file "functions.php". [IMG alt="y5rdp4eav5sqp5nf7kfdpmreq366u38i.png"]https://www.securitylab.ru/upload/medialibrary/766/y5rdp4eav5sqp5nf7kfdpmreq366u38i.png[/IMG] Here you can check whether your environment is in working mode. If so, the value of "$origin_url" will change to your current domain. [B]2. Enable the CORS feature[/B] Add the following action "rest_api_init". It is added directly below the "initCors" function that we just created. [IMG alt="zyv97vcdvksbtdlb8ldghvlhbs1we4o3.png"]https://www.securitylab.ru/upload/medialibrary/acf/zyv97vcdvksbtdlb8ldghvlhbs1we4o3.png[/IMG] [B]3. Allow support for multiple sources[/B] If you want to add support for multiple sources, create an array of allowed sources. [IMG alt="madd658liv6904iux6vja7lngpaexaxd.png"]https://www.securitylab.ru/upload/medialibrary/618/madd658liv6904iux6vja7lngpaexaxd.png[/IMG] [B]How do I avoid using CORS?[/B] Working with CORS may complicate your setup. You can always bypass CORS by adding a proxy server between your web server and the API, which gives the impression that requests come and go from the same domain. However, this should only be used as a temporary solution during development. [B]Website Security with CORS[/B] CORS is a way to improve the client-side protection of your web application, but it can't be used as the only layer of protection. It is worth noting that CORS does not protect against cross-site scripting (XSS), and if configured incorrectly, it can make your site vulnerable to attacks. It is not difficult for an attacker to directly fake a request from any trusted source, so you need to implement server-side security rules. Apply the following security measures for your site: [LIST] [*]do not use the wildcard character " * " to prevent each loaded script from linking to the resource.; [*]check all access control request headers against the appropriate access lists; [*]try a simple but secure string comparison with an array of trusted values to reduce the risk.; [*]use as many levels of protection as possible; [*]regularly apply updates with software vulnerability fixes; [*]configure access control rules; [*]use the website's firewall. [/LIST] (c) [URL]https://www.securitylab.ru/analytics/536143.php[/URL] [/QUOTE]
Name
Verification
Post reply
Home
Forums
CARDING & HACKING
HOSTING & BOTNET
What is CORS and how does it help you avoid having your money stolen?
Top