Skip to content

Cors Allow Origin Wildcard

What does this mean ?

CORS is a mechanism that allows web browsers to execute cross-domain requests using the XMLHttpRequest API in a controlled manner. These cross-origin queries include an Origin header that specifies the domain from which the request was made. It specifies the protocol that should be used between a web browser and a server to determine whether a cross-origin request is approved. Using the HTTP response header Access-Control-Allow-Origin, the web application informs the web client of the approved domains. One of the most common CORS misconfigurations is the incorrect use of wildcards such as (*) to permit domains to access resources. This is generally set to default, implying that resources on this site can be accessed by any domain.

What can happen ?

The issue here is that a web client might inject any value into the Origin request HTTP header in order to force the web application to furnish it with the target resource content. The header value is handled by the browser in the case of a Browser web client, but another "web client" (such as the Curl/Wget/Burp suite) may be used to change/override the "Origin" header value.

Recommendation

Using the Origin header to validate requests as coming from your site is not advised. Enable authentication on the resources accessed and require user/application credentials to be passed with CORS queries. Because any metadata in an HTTP request can be falsified, it is impossible to be 100 percent positive that any request comes from an intended client application.

Sample Code

Vulnerable :

[HttpGet]
public string Get()
{
    Response.Headers.Add("Access-Control-Allow-Origin", "*"); // Vulnerable
    Response.Headers.Add(HeaderNames.AccessControlAllowOrigin, "*"); // Vulnerable
}

Non Vulnerable :

[HttpGet]
public string Get()
{
    Response.Headers.Add("Access-Control-Allow-Origin", "https://example.com"); // Non Vulnerable
    Response.Headers.Add(HeaderNames.AccessControlAllowOrigin, "https://example.com"); // Non Vulnerable
}

Vulnerable :

@CrossOrigin // Vulnerable
@RequestMapping("")
public class GetController {
    public String getMsg(ModelMap model) {
        model.addAttribute("msg", "ok ");
        return "view";
    }
}

Non Vulnerable :

@CrossOrigin("example.com") // Non Vulnerable
@RequestMapping("")
public class GetController {
    public String getMsg(ModelMap model) {
        model.addAttribute("msg", "ok ");
        return "view";
    }
}

Vulnerable :

header("Access-Control-Allow-Origin: *"); // Vulnerable

Non Vulnerable :

header("Access-Control-Allow-Origin: $domain"); // Non Vulnerable

Vulnerable :

const http = require('http');
const server = http.createServer((req, res) => {
  res.writeHead(200, { 'Access-Control-Allow-Origin': '*' }); // Vulnerable
  res.end('ok');
});
server.listen(3000);

Non Vulnerable :

const http = require('http');
const server = http.createServer((req, res) => {
  res.writeHead(200, { 'Access-Control-Allow-Origin': 'example.com' }); // Non Vulnerable
  res.end('ok');
});
server.listen(3000);

References