CORSICA: Cross-Origin Web Service Identification

Vulnerabilities in private networks are difficult to detect for attackers outside of the network. While there are known methods for port scanning internal hosts that work by luring unwitting internal users to an external web page that hosts malicious JavaScript code, no such method for detailed and precise service identification is known. The reason is that the Same Origin Policy (SOP) prevents access to HTTP responses of other origins by default. We perform a structured analysis of loopholes in the SOP that can be used to identify web applications across network boundaries. For this, we analyze HTML5, CSS, and JavaScript features of standard-compliant web browsers that may leak sensitive information about cross-origin content. The results reveal several novel techniques, including leaking JavaScript function names or styles of cross-origin requests that are available in all common browsers. We implement and test these techniques in a tool called CORSICA. It can successfully identify 31 of 42 (74%) of web services running on different IoT devices as well as the version numbers of the four most widely used content management systems WordPress, Drupal, Joomla, and TYPO3. CORSICA can also determine the patch level on average down to three versions (WordPress), six versions (Drupal), two versions (Joomla), and four versions (TYPO3) with only ten requests on average. Furthermore, CORSICA is able to identify 48 WordPress plugins containing 65 vulnerabilities. Finally, we analyze mitigation strategies and show that the proposed but not yet implemented strategies Cross-Origin Resource Policy (CORP) and Sec-Metadata would prevent our identification techniques.

[1]  Arturs Lavrenovs,et al.  HTTP security headers analysis of top one million websites , 2018, 2018 10th International Conference on Cyber Conflict (CyCon).

[2]  Mohd. Shadab Siddiqui,et al.  Cross site request forgery: A common web application weakness , 2011, 2011 IEEE 3rd International Conference on Communication Software and Networks.

[3]  Jörg Schwenk,et al.  Same-Origin Policy: Evaluation in Modern Browsers , 2017, USENIX Security Symposium.

[4]  Collin Jackson,et al.  Robust defenses for cross-site request forgery , 2008, CCS.

[5]  Michal Zalewski The Tangled Web: A Guide to Securing Modern Web Applications , 2011 .

[6]  Anneli Folkesson,et al.  World Wide Web Consortium (W3C) , 2005 .

[7]  Mitsuaki Akiyama,et al.  Characterizing Obfuscated JavaScript Using Abstract Syntax Trees: Experimenting with Malicious Scripts , 2012, 2012 26th International Conference on Advanced Information Networking and Applications Workshops.

[8]  Paul Francis,et al.  The IP Network Address Translator (NAT) , 1994, RFC.

[9]  Marin Golub,et al.  A method for identifying Web applications , 2009, International Journal of Information Security.

[10]  Felix C. Freiling,et al.  Detecting Hidden Storage Side Channel Vulnerabilities in Networked Applications , 2011, SEC.

[11]  Adam Barth,et al.  The Web Origin Concept , 2011, RFC.

[12]  Dan Wing,et al.  Session Traversal Utilities for NAT (STUN) , 2020, RFC.

[13]  Markus Jakobsson,et al.  Drive-By Pharming , 2007, ICICS.

[14]  Dan Wing,et al.  Session Traversal Utilities for NAT (STUN) , 2020 .

[15]  Ashraf Matrawy,et al.  A classification of web browser fingerprinting techniques , 2015, 2015 7th International Conference on New Technologies, Mobility and Security (NTMS).

[16]  Martin Johns,et al.  On JavaScript Malware and related threats , 2008, Journal in Computer Virology.

[17]  Ben Stock,et al.  The Unexpected Dangers of Dynamic JavaScript , 2015, USENIX Security Symposium.

[18]  Nick Feamster,et al.  Web-based Attacks to Discover and Control Local IoT Devices , 2018, IoT S&P@SIGCOMM.