Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
@killames please.
Take your keyboard, hit yourself repeatedly until you never ever think of sth like that again.
A proxy shouldn't be misused - and especially not seen as a security measure or anything like that...
CORS belongs - as it should always be application specific - in the applications webserver, not somewhere else.
A proxy should be transparent in case of reverse proxying - I know a lot of people who try to turn an proxy into a kind of proxy firewall / API gateway / <we didn't bother so we just rewrote everything somewhere in the proxy> stuff...
And it's bad. A proxy (e.g. h2c smuggling) is vulnerable and the more the proxy does, the more likely the performance and security of your application suffers. Not to mention deployment pains, as without the proxy your application might not even work at all and without access to the proxy config no one might even know why.
A proxy is *not* the place to fix stuff you borked up in an application. -
@IntrusionCM personally I just hate http lol
-
@IntrusionCM and yeah I get it
And technically you’re also doing half the work of the sever and blah blah it’s easy enough to add the header allowing the origin on the service the browser is connecting to
And yes that was a knee jerk reaction to my hatred of cors
Which sucks
And prevents me from testing Ajax calls from goddamn html files
Which used to be a bigger deal -
@IntrusionCM such violence! Lol
-
@nitwhiz yeAh
The server tells the browser how to handle cross origin script includes
Meaning if a page on yahoo
References a script on crapdevmethods
The response header of the original page has to include an allow-origin for that domain and then the browser will behave itself and load the script
I was testing a ja script api with a static html page on my machine when I first encountered this stupid shit -
@IntrusionCM am I wrong with the description ? Want to hit me some more ?
-
@killames I never hit you.
:)
https://upload.wikimedia.org/wikipe...
CORS is a browser standard that allows the server / JS client runtime to define who has access and what can be executed.
It is a browser "gentleman" agreement - the browser asks nicely the server via an OPTION request (preflight) wether the request can be executed.
"Request can be executed" meaning if the HTTP method and domain are allowed to be executed.
In a nutshell, when you include an foreign script... And that script tries to call 'back'.... The browser and CORS prevents the script from doing nasty stuff.
JS is client side - the script cannot execute any requests if your server forbids it if it runs in a browser.
(CORS is of course useless if the HTTP library doesn't support it / implement it - but that's an whole different thing and _could_ be enforced on server side, e.g. sticky tables... But that's another story as non standard library opens a whole can of other attack vectors) -
@IntrusionCM just amuses me I designed and wrote a whole web app and never encountered that bs as all our data was housed on site and all our Api calls under the same domain and when I do there was no good docs on how to prevent it in my specific scenario
-
@killames well.... Don't take it personally, but the "Dunno don't care" principle is strong in every company.
Security and education costs.
Hence it are the two things that are obviously cut / ignored "for financial reasons".
In every company I worked so far were severe security holes. Usually they were lucky noone pressed charges....
On the other hand - the law loves the term "deliberately" / "vorsätzlich" (German)... So If you at least _try_ to put up the easy stuff like CORS, you / the company might get lucky when someone presses charges.
And pressing charges "for profit" will become more and more attractive I guess.
In Germany we at least have an employee protection by law, in countries like the USA you might get fired so the company "gets away with it" and you'll never get a job again. -
@killames why not use a WAF at that point?
-
@sariel no what I’m saying is the use of cors had no point on our intranet app
So I simply just never saw the error until doing something on my own time
What’s a waf again ? Lol -
@IntrusionCM you know I’ve seen some of the evolution of web security and it’s all pretty laughable to me
I could browse to a webpage and get a browser hijack installed
So saying “oh yeah you can run any script from this domain or no script from any other domain or a script that does this kind of request or that kind of request” seems pretty moot
Just a while ago I was browsing Pinterest for a web paper and my sec software warned me of a hijack attempt
Point is we base all this around a central insecure point which does not guarantee security at all -
@killames internal or not. Sometimes internal teams have the best of intentions and take your API down when they throw 60k requests per second at it.
WAF is Web Application Firewall.
Use it when you want to control every piece of a network request.
It can redirect, reject, transpose, rewrite, and hijack any web request. I believe some can even scan layer 3 network communications. -
@sariel sounds interesting
-
@sariel I once saw someone put a firewall between the two sides of a vpn
It was misconfigured and caused sql connections to drop resulting in an application on the same network bombing on numerous workstations
I don’t like adding more working parts
Seriously, y'all shitting on CORS but why? literally, why? it protects you. If you need an external api, could you please be fucking bothered to setup redirects, so it's /api and not fucking https://amazon23984723984723984.aws239847329847230948.spyware/...? duh
people who allow cors from "*" are the same people who always do everything with superuser rights. you're the reason why I always got offers
rant
cors