Cors Allow Origin Wildcard
What does this mean ?
CORS is a mechanism that allows web browsers to execute cross-domain requests using the XMLHttpRequest API in a controlled manner. These cross-origin queries include an Origin header that specifies the domain from which the request was made. It specifies the protocol that should be used between a web browser and a server to determine whether a cross-origin request is approved. Using the HTTP response header Access-Control-Allow-Origin, the web application informs the web client of the approved domains. One of the most common CORS misconfigurations is the incorrect use of wildcards such as (*) to permit domains to access resources. This is generally set to default, implying that resources on this site can be accessed by any domain.
What can happen ?
The issue here is that a web client might inject any value into the Origin request HTTP header in order to force the web application to furnish it with the target resource content. The header value is handled by the browser in the case of a Browser web client, but another "web client" (such as the Curl/Wget/Burp suite) may be used to change/override the "Origin" header value.
Recommendation
Using the Origin header to validate requests as coming from your site is not advised. Enable authentication on the resources accessed and require user/application credentials to be passed with CORS queries. Because any metadata in an HTTP request can be falsified, it is impossible to be 100 percent positive that any request comes from an intended client application.
Sample Code
Vulnerable :
[HttpGet]
public string Get()
{
Response.Headers.Add("Access-Control-Allow-Origin", "*"); // Vulnerable
Response.Headers.Add(HeaderNames.AccessControlAllowOrigin, "*"); // Vulnerable
}
Non Vulnerable :
[HttpGet]
public string Get()
{
Response.Headers.Add("Access-Control-Allow-Origin", "https://example.com"); // Non Vulnerable
Response.Headers.Add(HeaderNames.AccessControlAllowOrigin, "https://example.com"); // Non Vulnerable
}
Vulnerable :
@CrossOrigin // Vulnerable
@RequestMapping("")
public class GetController {
public String getMsg(ModelMap model) {
model.addAttribute("msg", "ok ");
return "view";
}
}
Non Vulnerable :
@CrossOrigin("example.com") // Non Vulnerable
@RequestMapping("")
public class GetController {
public String getMsg(ModelMap model) {
model.addAttribute("msg", "ok ");
return "view";
}
}
Vulnerable :
header("Access-Control-Allow-Origin: *"); // Vulnerable
Non Vulnerable :
header("Access-Control-Allow-Origin: $domain"); // Non Vulnerable
Vulnerable :
const http = require('http');
const server = http.createServer((req, res) => {
res.writeHead(200, { 'Access-Control-Allow-Origin': '*' }); // Vulnerable
res.end('ok');
});
server.listen(3000);
Non Vulnerable :
const http = require('http');
const server = http.createServer((req, res) => {
res.writeHead(200, { 'Access-Control-Allow-Origin': 'example.com' }); // Non Vulnerable
res.end('ok');
});
server.listen(3000);