CSRF | CORS

CORS Is Not a CSRF Prevention Mechanism.Any request generated by an HTML form will necessarily be a simple request and will never be preflighted. Form submissions can be sent from any origin to any other origin. … While a properly configured CORS policy is important, it does not in itself constitute a CSRF defense.

Scenario

  1. The target, Joe, is logged into their account at https://bank.com.
  2. The target then visits the web site of the perp, Tom, at https://foo.com.
  3. Tom places the malicious URL at his own site exploiting the fact that Tom is logged in at the bank.com site.

The perp knows the proper bank.com URL for requesting a transfer of money from Joe's account into Tom's account …

<a href="https://bank.com/transfer.do?acct=TOM&amount=100000">View my Pictures!</a>

Or as a 0x0 fake image:

<img src="https://bank.com/transfer.do?acct=TOM&amount=100000" width="0" height="0" border="0">

The server does not know this is a cross-origin request because it fails to match request header Referer against that of Host, and so allows the exploit.

Mitigate