CORS Misconfiguration Leads to Cache Poisoning & DoS

Listen to this Post

I recently identified and reported a CORS misconfiguration in the API endpoint of Remitly Careers that led to a cache poisoning attack. By injecting a malicious Origin header, I was able to poison the server’s cache, causing legitimate requests from other origins to be blocked, effectively resulting in a Denial-of-Service (DoS). This vulnerability could have disrupted critical services if exploited at scale. Thankfully, the issue has now been patched! Security misconfigurations like these can have severe availability impacts, and I’m glad to see another one fixed! 🛡️

Practice Verified Codes and Commands

1. CORS Misconfiguration Exploitation

To test for CORS misconfigurations, you can use the following curl command to inject a malicious Origin header:

curl -H "Origin: https://malicious.com" -I https://api.remitlycareers.com/endpoint

2. Cache Poisoning Detection

Use the following command to check if the server is caching responses with injected headers:

curl -H "Origin: https://malicious.com" -H "X-Forwarded-Host: malicious.com" -I https://api.remitlycareers.com/endpoint

3. DoS Simulation

To simulate a DoS attack caused by cache poisoning, you can use a simple bash loop to flood the server with requests:

for i in {1..1000}; do curl -H "Origin: https://malicious.com" https://api.remitlycareers.com/endpoint; done

4. Mitigation Commands

To secure your server against CORS misconfigurations, ensure proper CORS headers are set in your web server configuration. For example, in Nginx:

add_header 'Access-Control-Allow-Origin' 'https://trusted.com';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';

5. Log Analysis

Use the following command to analyze server logs for suspicious Origin headers:

grep -i "Origin: " /var/log/nginx/access.log | awk '{print $1}' | sort | uniq -c | sort -nr

What Undercode Say

CORS misconfigurations are a critical security issue that can lead to severe consequences such as cache poisoning and Denial-of-Service (DoS) attacks. By injecting malicious Origin headers, attackers can manipulate server responses and disrupt services. It is essential to implement proper CORS policies and regularly audit server configurations to prevent such vulnerabilities.

In Linux, you can use tools like `curl` and `grep` to test and analyze CORS configurations. For example, the command `curl -H “Origin: https://malicious.com” -I https://api.example.com` helps identify if a server is vulnerable to CORS misconfigurations. Additionally, server logs can be analyzed using `grep` and `awk` to detect suspicious activities.

For Windows, PowerShell can be used to test CORS configurations:

Invoke-WebRequest -Uri "https://api.example.com/endpoint" -Headers @{"Origin" = "https://malicious.com"}

Regularly updating server configurations and using security headers like `Access-Control-Allow-Origin` can mitigate these risks. Tools like Nginx and Apache provide directives to enforce secure CORS policies.

For further reading on CORS and cache poisoning, refer to the following resources:
OWASP CORS Misconfiguration
Mozilla CORS Documentation
Cache Poisoning Explained

By staying vigilant and employing robust security practices, you can protect your systems from such vulnerabilities and ensure the availability of critical services.

References:

initially reported by: https://www.linkedin.com/posts/m-safvan_bugbounty-cybersecurity-websecurity-activity-7299046466185019392-uAOJ – Hackers Feeds
Extra Hub:
Undercode AIFeatured Image