search

CORS Misconfiguration

hashtag
CORS Misconfiguration

hashtag
Description

CORS (Cross-Origin Resource Sharing) misconfiguration occurs when a web application improperly configures its CORS policy, allowing unauthorized domains to access its resources, leading to potential data leaks or unauthorized actions.

hashtag
Example with Scenario

Scenario: A web application has a misconfigured CORS policy that allows any origin to access its API. An attacker can exploit this to steal sensitive data by making requests from a malicious site.

hashtag
Payloads and Test Cases

Payloads

  1. Wildcard Origin:

    Origin: http://evil.com

  2. Insecure Allow-Origin Header:

    Access-Control-Allow-Origin: *

  3. Allowed Methods:

    Access-Control-Allow-Methods: GET, POST, PUT, DELETE

Test Cases

  1. Wildcard Origin:

    • Payload:

      Origin: http://evil.com

    • Test Case:

      // Send a request with a malicious origin
sendCORSRequest("http://evil.com", "/sensitive-data")
// Verify if the server responds with sensitive data
checkForSensitiveDataInResponse()

  2. Insecure Allow-Origin Header:

    • Payload:

      Access-Control-Allow-Origin: *

    • Test Case:

      // Send a request from any origin
sendCORSRequest("http://any-origin.com", "/sensitive-data")
// Verify if the server responds with sensitive data
checkForSensitiveDataInResponse()

  3. Allowed Methods:

    • Payload:

      Access-Control-Allow-Methods: GET, POST, PUT, DELETE

    • Test Case:

      // Send a request using an allowed method
sendCORSRequest("http://allowed-origin.com", "/sensitive-data", "POST")
// Verify if the server processes the request
checkForSensitiveDataInResponse()

hashtag
Mitigation

  1. Restrict Allowed Origins:

    • Specify a strict allow-list of trusted origins.

    • Avoid using wildcard (*) in the Access-Control-Allow-Origin header.

  2. Limit Allowed Methods:

    • Restrict the allowed HTTP methods to only those necessary.

    • Avoid allowing all methods (e.g., GET, POST, PUT, DELETE).

  3. Validate Preflight Requests:

    • Validate and properly handle preflight OPTIONS requests.

    • Ensure the Access-Control-Allow-Origin and other headers are correctly set.

  4. Use Credentials Securely:

    • Avoid using Access-Control-Allow-Credentials: true unless necessary.

    • Ensure the allowed origins are secure when using credentials.

  5. Content Security Policy (CSP):

    • Implement a strict Content Security Policy to mitigate the impact of CORS misconfigurations.

    • Use CSP to control the sources of content and reduce the risk of data leaks.

PreviousLaTeX InjectionNextHandy Commands & Payloads

Last updated