Cross-Origin Resource Sharing (CORS) Misconfiguration Vulnerability in Server Response Headers

Affected headers and values:

Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true.
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS, HEAD, PATCH
Access-Control-Allow-Headers: access-control-allow-origin, origin, content-type, accept, authorization, data-partition-id, correlation-id, appkey

Details:

The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request that allows access from any domain. The application allowed access from the requested arbitrary origin, e. g. http://randomorigin.rand

Unrestricted CORS policy could risk the stability and reliability of application through an increase in unwanted traffic and potentially harmful requests

Steps to reproduce:

  1. Open Postman
  2. Get the Postman collections from here: https://community.opengroup.org/osdu/qa/-/tree/main/Postman%20Collection
  3. Login to application according to https://community.opengroup.org/osdu/platform/pre-shipping/-/blob/main/R3-M21/GC-M21/Postman_Authentication_Guide.md?ref_type=heads
  4. Perform any request from postman collaction by putting Origin header with value http://radomorigin.rand

1

  1. Notice response contains CORS headers:

2

3

Impact:

Unrestricted CORS policy could risk the stability and reliability of application through an increase in unwanted traffic and potentially harmful requests. This could cost you in terms of server resources, and potential unplanned downtime. Furthermore, application might end up being vulnerable to CSRF attacks if there will be changes in application architecture such as using cookies for storing authentication tokens with SameSite flag set to none

Remediation:

To mitigate the CORS misconfiguration vulnerability, the following steps should be taken:

  • Access-Control-Allow-Origin: Update the Access-Control-Allow-Origin header to explicitly specify the trusted domains allowed to make cross-origin requests. Avoid using the "*" wildcard unless absolutely necessary.
  • Access-Control-Allow-Credentials: Remove Access-Control-Allow-Credentials header. If the request is preflighted, then the preflight request does not include credentials. If the server's response to the preflight request doesn’t set the Access-Control-Allow-Credentialsheader to true, then the browser reports a network error. This will prevent browsers from including cookies or HTTP authentication information in these requests.
  • Access-Control-Allow-Methods: Review and limit the allowed methods specified in the Access-Control-Allow-Methods header to those actually required by the application. Remove any unnecessary methods to reduce the attack surface.
  • Access-Control-Allow-Headers: Update the Access-Control-Allow-Headers to include only the headers that are expected in the requests from the client.

For more information please refer to CORS OriginHeaderScrutiny.