CSRF using CORS

3
votes

I'm studing HTML5's security problems. I saw all the presentations made by Shreeraj Shah. I tried to simulate a basic CSRF attack with my own servers using withCredentials tag sets to true (so in the response message the cookies should be replayed) and adding Content-Type sets to text/plain in the request (to bypass the preflight call). When I tried to start the attack the browser told me that the XMLHttpRequest can not be accomplish because of the Access-Control-Allow-Origin header. So I put a * in the header of the victim's web page and the browser told me that I can't use the * character when I send a request with withCredentials sets to true. I tried to make the same thing with the web apps stored in the same domain, and all was fine (I suppose it is because the browser doesn't check if the request comes from the same domain).

I'm asking, it's a new features that modern browsers set up recently to avoid this kind of problems? Because in the Shreeraj's videos, the request was across different domains and it worked...

Thank you all and sorry for my english :-)

EDIT:

I think I found the reason why the CSRF attack doesn't work fine as in the Shreeraj's presentations. I read the previous CORS document, published in 2010, and I found that there wasn't any recommendation about the with credential flag setted to true when Access-Control-Allow-Origin is set to *, but if we look at the last two publications about CORS (2012 and 2013), in the section 6.1, one of the notes is that we can't make a request using with credentials flag setted to true if the Access-Control-Allow-Origin is set to *.

Here are the links:

The previous one (2010): http://www.w3.org/TR/2010/WD-cors-20100727/

The last two (2012, 2013): http://www.w3.org/TR/2012/WD-cors-20120403/ --- http://www.w3.org/TR/cors/

Here is the section I'm talking about: http://www.w3.org/TR/cors/#supports-credentials

If we look at the previous document we can not find it, because there isn't.

I think this is the reason why the simple CSRF attack made in 2012 by Shreeraj Shah today doesn't work (of course in modern browsers that follow the w3c's recommendations). Could it be?

1
htmlsecurityxmlhttprequestcorscsrf

1 Answers

1
votes

The request will still be made despite the browser error (if there's no pre-flight).

The Access-Control-Allow-Origin simply allows access to the response from a different domain, it does not affect the actual HTTP request.

e.g. it would still be possible for evil.com to make a POST request to example.com/transferMoney even though there are no CORS headers set by example.com using AJAX.