CORS proxy browser

By Krzysztof Kotowicz

Description

CORS proxy browser is a proof of concept of how client-side web proxying can be done using Cross Origin Resource Sharing.

It allows you to fetch content of websites using Access-Control-Allow-Origin: * HTTP header, modifies it in place (e.g. removes ad.‍doubleclick.net ads) and redisplays the content in your own origin, where you have total control over content, bypassing Same Origin Policy. All of this is done client-side. In fact, the whole proxy is just a single browser.html file (apart from Flash fallback).

With this proxy browser you can redisplay modified content of other websites that use permissive CORS setup, potentially driving ad traffic from them. However, only public, non-authenticated content is displayed, as cookies won't work in this setup.

How to use it?

Just like any other browser. Enter URL into the input field (http://sourceforge.net/ is a good example) and press ENTER. If the target website uses Access-Control-Allow-Origin: * , it will load in a moment. The flying marquee at the top is a proof that you're actually modifying content. If not, there will be an alert with error. It will only work in Firefox, Chrome, Safari and IE8+!

FAQ

Is it a demo of vulnerability?
Yes, but a tiny one. Unless the target website serves private or user-specific data without cookie or HTTP or SSL client certificate based authentication, there is no privacy breach. It's only a demonstration that you're allowing attacker to access your content through victim browser.
Has it been possible before?
You could always fetch any content issuing HTTP request to the target webserver. You didn't even have to use the browser for that, it could be a simple script. But with this technique the communication originates from victim's browser, his IP address, bandwidth etc. There is no server-side code, just a simple HTML page. You can even download the file and use it locally from file:// protocol (Flash fallback won't work from file://).
What about Flash crossdomain.xml ?
Yes, it it also totally possible to make a similar browser using tiny Flash file for sites using permissive crossdomain.xml . But now, with CORS, it's possible without any addons, HTML5-style. I've added an optional Flash-based fallback though, because more websites now use permissive crossdomain.xml than CORS headers.
How does it work?
  1. You enter URL
  2. I ask browser to use XMLHttpRequest to fetch that remote URL
  3. If we're lucky and website uses Access-Control-Allow-Origin: *, I get that content. If there's an error and you agree, I try with Flash-based fallback.
  4. I modify the content adding marquee, base href and a making an easy attempt to remove ads
  5. I create an iframe and display the content
  6. The websites starts working in my origin, loading scripts, styles, images etc.
  7. I periodically bind to all links and forms on the webpage and hijack them (XSS-Track style) to load other URL using the same procedure.
Are <form> submissions supported?
Yes, basic GET / POST <form> submission is supported just like navigating <a href> links. However, it's only a proof of concept, so complex AJAX application will not work at all. Feel free to improve.
Source code?
Well, you have it all in the browser.html , but of course, sure, look at my GitHub repo.

Loading $url$ ...

Could not load $url$
$status$ $statusText$

Preferences

Which technology to use for cross domain communication?

  • CORS requires permissive Access-Control-Allow-Origin headers on target domain, can be used from page on file:// protocol and will not attach & set cookies.
  • CORS with credentials requires very permissive setup for the server to get the response, but it will attach cookies. Best used for blind CSRF.
  • Flash requires permissive crossdomain.xml file, requires a server but will attach & set cookies.

History

Time URL