CORS Misconfiguration

CORS Misconfiguration

Description

CORS (Cross-Origin Resource Sharing) misconfiguration occurs when a web application improperly configures its CORS policy, allowing unauthorized domains to access its resources, leading to potential data leaks or unauthorized actions.

Example with Scenario

Scenario: A web application has a misconfigured CORS policy that allows any origin to access its API. An attacker can exploit this to steal sensitive data by making requests from a malicious site.

Payloads and Test Cases

Payloads

1. Wildcard Origin:

   Copy

   Origin: http://evil.com

2. Insecure Allow-Origin Header:

   Copy

   Access-Control-Allow-Origin: *

3. Allowed Methods:

   Copy

   Access-Control-Allow-Methods: GET, POST, PUT, DELETE

Test Cases

1. Wildcard Origin:

   • Payload:

     Copy

     Origin: http://evil.com

   • Test Case:

     Copy

     // Send a request with a malicious origin
     sendCORSRequest("http://evil.com", "/sensitive-data")
     // Verify if the server responds with sensitive data
     checkForSensitiveDataInResponse()

2. Insecure Allow-Origin Header:

   • Payload:

     Copy

     Access-Control-Allow-Origin: *

   • Test Case:

     Copy

     // Send a request from any origin
     sendCORSRequest("http://any-origin.com", "/sensitive-data")
     // Verify if the server responds with sensitive data
     checkForSensitiveDataInResponse()

3. Allowed Methods:

   • Payload:

     Copy

     Access-Control-Allow-Methods: GET, POST, PUT, DELETE

   • Test Case:

     Copy

     // Send a request using an allowed method
     sendCORSRequest("http://allowed-origin.com", "/sensitive-data", "POST")
     // Verify if the server processes the request
     checkForSensitiveDataInResponse()

Mitigation

1. Restrict Allowed Origins:

   • Specify a strict allow-list of trusted origins.

   • Avoid using wildcard (*) in the Access-Control-Allow-Origin header.

2. Limit Allowed Methods:

   • Restrict the allowed HTTP methods to only those necessary.

   • Avoid allowing all methods (e.g., GET, POST, PUT, DELETE).

3. Validate Preflight Requests:

   • Validate and properly handle preflight OPTIONS requests.

   • Ensure the Access-Control-Allow-Origin and other headers are correctly set.

4. Use Credentials Securely:

   • Avoid using Access-Control-Allow-Credentials: true unless necessary.

   • Ensure the allowed origins are secure when using credentials.

5. Content Security Policy (CSP):

   • Implement a strict Content Security Policy to mitigate the impact of CORS misconfigurations.

   • Use CSP to control the sources of content and reduce the risk of data leaks.