Misconfigured CORS

  • CWE 942

Cross-Origin Resource Sharing (CORS) is a mechanism that uses additional HTTP headers to tell a browser to let a web application running at one origin (domain) have permission to access selected resources from a server at a different origin. A web application makes a cross-origin HTTP request when it requests a resource that has a different origin (domain, protocol, and port) than its own origin.

An attacker may be able to bypass the web browser's same-origin policy and exploit the weakness to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information.

For security reasons, browsers restrict cross-origin HTTP requests initiated from within scripts. For example, XMLHttpRequest follows the same-origin policy. This means that a web application using this API can only request HTTP resources from the same origin the application was loaded from, unless the response from the other origin includes the right CORS headers.

Access-Control-Allow-Origin: *

Using the "*" wildcard to allow all sites to access a private API is a bad idea for what should be obvious reasons.

Remediation

Rather than using a wildcard or programmatically verifying supplied origins, use a whitelist of trusted domains.

References
Go Back to List

Search Vulnerability


You may also see