Project

General

Profile

Actions
Copy link

Bug #85

closed

Feature #65: Security Audit

[Security Audit ] 20- Cross Origin Resource Sharing (CORS) Misconfiguration

Added by Kalyan Battula about 1 year ago. Updated 7 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Harish Beechani
Category:
-
Target version:
Security Audit
Start date:
17/04/2024
Due date:
% Done:

0%

Estimated time:
Deployed In:
Category:

Description

20- Cross Origin Resource Sharing (CORS) Misconfiguration
CWE : CWE-642
Description :
The application implements an HTML5 cross-origin resource sharing (CORS) policy for
this request that allows access from any domain.
Affected Path(s) :
/(WebServer)
Impact :
Any website can make XHR requests to your site and access the responses.
Recommendation :
It is recommended not to use Access-Control-Allow-Origin: *.
Instead use Access-Control-Allow-Origin header should contain the list of
origins that can make CORS requests.
Reference Link:
https://cwe.mitre.org/data/definitions/942.html https://owasp.org/wwwcommunity/attacks/CORS_OriginHeaderScrutiny
Evidence/Proof Of Concept :
Step 1: Cross Origin Resource Sharing (CORS) Misconfiguration as shown in below
screenshot.

Files

clipboard-202404171602-d382i.png (80 KB) clipboard-202404171602-d382i.png Kalyan Battula, 17/04/2024 04:02 PM
Actions
Copy link

Also available in: Atom PDF