Project

General

Profile

Actions
Copy link

Feature #268

open

Feature #235: [Security Audit Round 2 ]

[Security Audit Round 2 ] Cross Origin Resource Sharing (CORS) Misconfiguration

Added by Kalyan Battula 12 months ago. Updated 11 months ago.

Status:
Ready for Prod
Priority:
High
Assignee:
Vasu Malladi
Category:
-
Target version:
Security Audit
Start date:
01/05/2024
Due date:
% Done:

0%

Estimated time:
Deployed In:
Category:

Description

Cross Origin Resource Sharing (CORS) Misconfiguration
observation : Repeated
CWE : CWE-642
Description :
The application implements an HTML5 cross-origin resource sharing (CORS) policy for
this request that allows access from any domain.
Affected Path(s) :
/(WebServer)
Impact :
Any website can make XHR requests to your site and access the responses.
Evidence/Proof Of Concept :
Step 1: Cross Origin Resource Sharing (CORS) Misconfiguration as shown in below
screenshot.

Recommendation :
It is recommended not to use Access-Control-Allow-Origin: *.
Instead use Access-Control-Allow-Origin header should contain the list of
origins that can make CORS requests.
Reference Link:
https://cwe.mitre.org/data/definitions/942.html https://owasp.org/www-community/attacks/CORS_OriginHeaderScrutiny

Files

clipboard-202405011305-wrcjk.png (85.8 KB) clipboard-202405011305-wrcjk.png Kalyan Battula, 01/05/2024 01:05 PM
Actions
Copy link
 #1

Updated by Vasudev Mamidi 12 months ago

  • Assignee set to Vasu Malladi
Actions
Copy link
 #2

Updated by Harish Beechani 12 months ago

  • Status changed from New to Resolved
Actions
Copy link
 #3

Updated by Sivakanth Kesiraju 12 months ago

  • Target version set to Sprint 1 (29th April - 3rd May)
Actions
Copy link
 #4

Updated by Sivakanth Kesiraju 12 months ago

  • Target version changed from Sprint 1 (29th April - 3rd May) to Security Audit
Actions
Copy link
 #5

Updated by Harish Beechani 11 months ago

  • Status changed from Resolved to Ready for Prod
Actions
Copy link

Also available in: Atom PDF