Research
Recent Trends in Malicious Packages Targeting Discord
The Socket research team breaks down a sampling of malicious packages that download and execute files, among other suspicious behaviors, targeting the popular Discord platform.
Readme
Corsair_scan is a security tool to test Cross-Origin Resource Sharing (CORS) misconfigurations. CORS is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served. If this is not properly configured, unauthorised domains can access to those resources.
CORS is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources. It works by adding new HTTP headers that let servers describe which origins are permitted to read that information from a web browser.
CORS also relies on a mechanism by which browsers make a “preflight” request to the server hosting the cross-origin resource, in order to check that the server will permit the actual request. In that preflight, the browser sends headers that indicate the HTTP method and headers that will be used in the actual request.
The most common and problematic security issue when implementing CORS is the failure to validate/whitelist requestors. Too often, we see the value for Access-Control-Allow-Origin set to ‘*’.
Unfortunately, this is the default and as such allows any domain on the web to access that site’s resources.
As per the OWASP Application Security Verification Standard (ASVS), requirement 14.5.3 states
Verify that the Cross-Origin Resource Sharing (CORS) Access-Control-Allow-Origin header uses a strict allow list of trusted domains and subdomains to match against and does not support the "null" origin.
Corsair_scan works by resending a request (or list of requests) received as a parameter and then injecting a value in the Origin header. Depending on the content of the Access-Control-Allow-Origin header in the response to this request, we can assert if CORS configuration is correct or not. There are three scenarios that indicate that CORS is misconfigured:
If CORS is found to be misconfigured, we check to see if the response contains the header Access-Control-Allow-Credentials, which means that the server allows credentials to be included on cross-origin requests.
Often, CORS configurations make use of wildcards, for example accepting anything under * example.com *. This means that the origin domain.com.evil.com will be accepted as it matches the given regex. To try and combat this, corsair_scan tests four scenarios:
This project was developed with Python 3.9, but should work with any Python 3.x version. The best way to install it is using pip.
pip3 install corsair_scan --user
Corsair can be used both as a python module or as a CLI.
The method that performs the CORS scan is corsair_scan. Here is its definition:
Receives a list of requests and a parameter to enable/disable certificate check in the request
Input:
data [List]: A list of requests. Each request is a dictionary that contains the relevant data for the request:
verify [Boolean] [Default: True] : Sends this value to corsair_scan_single_url for each request
Output:
import corsair_scan.corsair_scan as corsair
url_data = {}
data = []
verb = 'GET'
url = 'https://example.com/'
params = 'user=user1&password=1234'
headers = {'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'en-GB,en;q=0.5', 'Connection': 'keep-alive', 'Upgrade-Insecure-Requests': '1',
'Origin': 'https://example.com',
'Host': 'example.com'}
url_data['verb'] = verb
url_data['url'] = url
url_data['params'] = params
url_data['headers'] = headers
data.append(url_data)
print (corsair.corsair_scan(data, verify=True))
Response:
{'report': [{'fake_origin': {'Access-Control-Allow-Origin': 'https://scarymonster.com',
'Origin': 'https://scarymonster.com',
'credentials': True,
'error': False,
'misconfigured': True,
'status_code': 200},
'post-domain': {'Access-Control-Allow-Origin': 'https://example.com.scarymonster.com',
'Origin': 'https://example.com.scarymonster.com',
'credentials': True,
'error': False,
'misconfigured': True,
'status_code': 200},
'pre-domain': {'Access-Control-Allow-Origin': 'https://scarymonsterexample.com',
'Origin': ' https://scarymonsterexample.com',
'credentials': True,
'error': False,
'misconfigured': True,
'status_code': 200},
'sub-domain': {'Access-Control-Allow-Origin': 'https://scarymonster.example.com',
'Origin': 'https://scarymonster.example.com',
'credentials': True,
'error': False,
'misconfigured': True,
'status_code': 200},
'url': 'https://example.com/',
'verb': 'GET'}],
'summary': {'error': [], 'misconfigured': [{'credentials': True,
'misconfigured_test': ['fake_origin',
'sub-domain',
'pre-domain',
'post-domain'],
'status_code': 200,
'url': 'https://domain.com',
'verb': 'GET'}]}}
As part of the pip package installation, a CLI is installed. The syntax to execute is as follows:
corsair FILE [-nv/--noverify][-r/--report]
The CLI needs a json file with a list of requests perform the scan. An example file is provided as part of the tests
:
[{
"verb": "GET",
"url": "https://example.com/",
"params": "user=user1&password=1234",
"headers": {
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"Accept-Language": "en-GB,en;q=0.5",
"Connection": "keep-alive",
"Upgrade-Insecure-Requests": "1",
"Origin": "https://example.com",
"Host": "example.com"
}
}]
There are also two optional parameters:
Corsair_scan was developed by the Santander UK Security Engineering team who are:
FAQs
CORS testing library
We found that corsair-scan demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
The Socket research team breaks down a sampling of malicious packages that download and execute files, among other suspicious behaviors, targeting the popular Discord platform.
Security News
Socket CEO Feross Aboukhadijeh joins a16z partners to discuss how modern, sophisticated supply chain attacks require AI-driven defenses and explore the challenges and solutions in leveraging AI for threat detection early in the development life cycle.
Security News
NIST's new AI Risk Management Framework aims to enhance the security and reliability of generative AI systems and address the unique challenges of malicious AI exploits.