Skip to content

Cors Allow Origin Wildcard

What does this mean ?

Cross-Origin Resource Sharing(CORS) is a mechanism that enables web browsers to perform cross-domain requests using the XMLHttpRequest API in a controlled manner. These cross-origin requests have an Origin header, that identifies the domain initiating the request. It defines the protocol to use between a web browser and a server to determine whether a cross-origin request is allowed. The web application informs the web client of the allowed domains using the HTTP response header Access-Control-Allow-Origin. One of the most common CORS misconfigurations is incorrectly using wildcards such as (*) under which domains are allowed to request resources. This is usually set as default, which means any domain can access resources on this site.

What can happen ?

The risk here is that a web client can put any value into the Origin request HTTP header in order to force web application to provide it the target resource content. In the case of a Browser web client, the header value is managed by the browser but another “web client” can be used (like Curl/Wget/Burp suite) to change/override the “Origin” header value.

Recommendation

It is not recommended to use the Origin header to authenticate requests as coming from your site. Enable authentication on the resources accessed and require that the user/application credentials be passed with the CORS requests. It is not possible to be 100% certain that any request comes from an expected client application, since all information of a HTTP request can be faked.

References