So far in this Magento 2 security series we have discussed injection, csrf attacks and global techniques to prevent them as well as we have checked how Webkul security module can help us for an easy and quick fix.
Let’s discuss another attack Cross Origin Resource Sharing (cors) which is being exploited by the attacker in the wild to steal sensitive information.
In a typical web application, it generally fetches resources such as image , JSON data from another origin but browsers same origin policy can restrict loading of resources from another domain.
To fix this issue caused by same origin policy CORS can be an effective solution. By enabling CORS header the server will tell the browser to allow use of additional origin.
But if CORS policy is poorly configured and implemented it can potentially invite cross-domain based attacks.
Let’s check the general misconfiguration scenarios:
1.wildcard (*) in CORS Headers: Here the header Access-Control-Allow-Origin is configured with a wildcard(*). It means any domain can access the resources. As the site shares information from any site it can be exploited easily.
2. Whitelisted null origin value:The Origin header is set to null because the browser doesn’t want to leak the origin value to the server.
Browsers might send the value null in the Origin header in situations such as:
- Cross-site redirects.
- Request using the file: protocol.
- Requests from serialized data.
- Sandboxed cross-origin requests.
In such cases, hiding the Origin header value by setting it to null is a safety precaution. But this can be exploited by using various tricks to satisfy the whitelist.
How to secure your magento2 store against CORS based attacks
Avoid wildcards and Whitelisting null
Avoid setting Access-Control-Allow-Origin header to wildcard (*) as it’s not a good practice to trust every application over the internet.
Also avoid setting it to null as attackers can set origin value to null to exploit. we should also avoid dynamically reflecting the origin header without proper validation.
The origin should be properly specified in the Access-Control-Allow-Origin header. Admins should maintain a list of allowed/trusted domains.
Although maintaining a list of allowed domains is itself complicated and can invite errors. In such case Webkul can help in detection and in mitigation from vulnerabilities on Magento 2 store through its basic security module which can also be customized.
To safeguard your Magento 2 store from other attacks like malicious file upload or brute force visit our store and check out our Security Extension Suite for Magento 2 module for more details, which is effective in blocking malicious users and in notifying admins for suspected login attempts.