So I'm reading up on these and am a little confused. I'm using an iframe of a site on another domain. I get No 'Access-Control-Allow-Origin' header is present on the requested resource.” Reading up on this I can just set the header in the web.config. However, I want multiple specific domains and not just the wildcard "*". I was reading up on the cross domain policy. Creating an xml file Is this by any means related or are these two completely different things?
This xml policy
<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="domain1.com"/>
<allow-access-from domain="domain2.com"/>
</cross-domain-policy>
vs this in the web.config
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="site1.com" />
</customHeaders>
</httpProtocol>
</system.webServer>
CORS works by adding a special header to responses from a server to the client. If a response contains the Access-Control-Allow-Origin header, and if the browser supports CORS, then there is a chance you can load the resource directly with Ajax no need for a proxy.
When you set, Access-Control-Allow-Origin value as “site1.com”.
With this configuration, only scripts that originate from http://site1.com are allowed to load resources. Any other domain trying to use Ajax to load resources will be given the standard security error message. In this way, site owners can limit which domains are allowed to load their resources with CORS.
Alternatively, site owners can grant wide-open access with the always ready to party asterisk:
Access-Control-Allow-Origin: *.
Now, any site that wants to load a resource directly using Ajax can do so without getting the browser security error. It's a very helpful technique for modern apps that often load data using JavaScript, and hopefully more modern web APIs will start to support CORS.
Related
I'm currently applying security fixes for a vulnerability which was found by a third party software. This is the issue (Often Misused: HTTP Method Override vulnerability).
The request from the software was similar to:
POST /Home/ViewProfile HTTP/1.1
Referer: https://somesite.com/Home/ViewProfile?qrystr=blahblah
[...]
X-HTTP-METHOD: PUT
X-HTTP-Method-Override: PUT
X-METHOD-OVERRIDE: PUT
[...]
And the response was:
HTTP/1.1 200 OK
[...]
The web application is not a RESTful API, it's just a an ASP.NET MVC site which only has GET and POST actions.
I have a few questions:
Is this a false positive given the type of app?
By default, does ASP.NET do anything with these headers X-HTTP-Method, X-HTTP-Method-Override, X-METHOD-OVERRIDE if not explicitly told to do so such as in this example?
Regarding the first linked issue above, what is the best way to go about achieving the recommended remediations if they're necessary/applicable based on my case:
"Ensure that only the required headers are allowed, and that the allowed headers are properly configured."
and
"Ensure that no workarounds are implemented to bypass security measures implemented by user-agents, frameworks, or web servers."
Another thing to note is I don't have access to modify IIS settings, but I can modify the Web.Config.
I had the same problem with a scan from my security team. What I did was limiting the size of those requests to zero (0) in the web.config. The server then returns a "HTTP Error 431.0 - Request Header Fields Too Large", effectively blocking the overrides.
</system.webServer>
...
<security>
<requestFiltering>
<requestLimits>
<headerLimits>
<add header="X-Http-Method-Override" sizeLimit="0" />
<add header="X-Method-Override" sizeLimit="0" />
<add header="X-HTTP-Method" sizeLimit="0" />
</headerLimits>
</requestLimits>
...
</requestFiltering>
</security>
...
</system.webServer>
However, I haven't checked yet if this effectively cancels the alert by the security scanner. I suspect it might still show, but I'm ready to report back as a false positive because the server is blocking all calls with those headers. I'll let you know as soon as I get a response from the security team.
I have a request to allow customers to select to authenticate to our service using mTLS (Mutual Authentication). The problem I have is I want to allow this only on one endpoint and only in special circumstances. I do not want to globally accept or require Client Certificates on each request. The setting in IIS allows Ignore, Accept, or Require.
When I set it to Accept and browse to the site in Chrome I get this pop-up
Is there a way to accept the certificates if they are passed to a specific endpoint but not change the behavior of other endpoints?
To enable SSL Negotiation settings on a specific route you can apply that setting to a specific location
<location path="Route/Goes/Here">
<system.webServer>
<security>
<access sslFlags="SslNegotiateCert"/>
</security>
</system.webServer>
</location>
Depending on how your IIS is setup this may cause a 500 error saying "This configuration section cannot be used at this path. This happens when the section is locked at a parent level." If that happens you need to enable the SSL Settings Read/Write flag as seen here:
Or using Powershell:
Set-WebConfiguration //System.WebServer/Security/access[#sslFlags] -metadata overrideMode -value Allow -PSPath IIS:/
I have an ASP.NET Web API running locally which I'm debugging with Fiddler. The API is running under an application pool account and makes a number of calls out to an external API.
When I run an acceptance test against my local API and capture requests in Fiddler I don't see those external requests, just the HTTP calls made directly within the test's app domain. Having done some reading I see that I need to configure IIS to use a default proxy to route all traffic through Fiddler.
So, I tried adding this to my web.config's system.net:
<defaultProxy>
<proxy autoDetect="false" bypassonlocal="false" proxyaddress="http://127.0.0.1:8888" usesystemdefault="false" />
</defaultProxy>
This works well. Fiddler now shows me all the internal HTTP requests being made by the API. However, I don't want to affect other developers by committing this web.config change, so I tried moving this section to my machine.config.
Having done this, even though I can see the configuration being pulled through to my IIS application (screenshot below), I don't see the same requests in Fiddler which suggests to me the proxy is not being used. Even after an iisreset.
Can anyone shed any light on this?
Update 1
#lex-li pointed out that usesystemdefault in my screenshot is true whereas I'd set it to false in machine.config. It seems this particular value is not pulled through to the application configuration from machine.config for some reason. However, if I override just that value in web.config as below, the application still doesn't use the proxy.
<system.net>
<defaultProxy>
<proxy usesystemdefault="false" />
</defaultProxy>
</system.net>
I built an ASP.NET Web API service and enabled CORS in that service. This service is used for serving report templates resources (html, image, css, font). The web client loads the template and display report based on downloaded template.
So, given the service enpoint: http://templates.domain.com,
and I try access the service (REST, Image, Font) from a web app (http://client.domain.com), then the web client app will load:
http://templates.domain.com/templates/:templateName
http://templates.domain.com/templates/:templateName/css/style.css
http://templates.domain.com/templates/:templateName/image/header.jpg
http://templates.domain.com/templates/:templateName/font/test.ttf
In the above, the REST API, CSS, and images from the service working well, but the font is blocked/failed.
Font from origin 'http://localhost:49350' has been blocked from
loading by Cross-Origin Resource Sharing policy: No
'Access-Control-Allow-Origin' header is present on the requested
resource. Origin 'null'
So far, I've tried the solutions below, but the font is still blocked.
Microsoft.Owin.Cors:
app.UseCors(CorsOptions.AllowAll);
Microsoft.AspNet.WebApi.Cors:
var cors = new EnableCorsAttribute("*", "*", "*");
config.EnableCors(cors);
Are you using OWIN or WebAPI?
For a AspNet WebAPI the following would allow everything through:
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="*" />
</customHeaders>
</httpProtocol>
</system.webServer>
It is important to point out that allowing "*" is potential security vulnerability as you are saying anyone from anywere can invoke these methods.
I have a server that sits behind an Incapsula Web App Firewall, which alters the headers sent to IIS. When I perform a specific request I get the following error from IIS: The server committed a protocol violation. Section=ResponseHeader Detail=CR must be followed by LF. This behavior is also described in: http://www.dragonblogger.com/fix-live-writer-protocol-violation-error-cr-lf/
According to this page http://msdn.microsoft.com/en-us/library/65ha8tzh%28v=vs.80%29.aspx I should be able to accept these headers by setting the useUnsafeHeaderParsing to true. So I tried adding this to the web.config in the virtual directory from which the specific request should be handled:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.net>
<settings>
<httpWebRequest useUnsafeHeaderParsing="true" />
</settings>
</system.net>
</configuration>
After restarting IIS it still does not work. I also tried adding this to the c:\windows\Microsoft.NET\framework\config\web.conf but it did not work either.
Does anyone have any idea what I am missing?
Thanks!
When trying to connect Azure Application Insights to one of our websites (also "protected" by Incapsula) we encountered the same response header violation. Setting the useUnsafeHeaderParsing to true didn't work either.
Consulting the Incapsula support desk helped us out: it seems that Incapsula is adding an irregular cookie to the response to identify the visitor as a bot or as a human visitor. The addition of the irregular cookie the to the response can be the cause of the response header violation. Incapsula also has Javascript classification, so we let them disable the irregular cookie and enable the Javascript classification.
This is how we solved the violation error.