CORS Misconfiguration

Reference

Plugin Id: 40040 | CWE: 942

Remediation

To mitigate the CORS misconfiguration vulnerability, the following steps can be taken:

Configure the server correctly: Ensure that the server is properly configured to handle CORS requests. This includes setting the appropriate response headers to control access from different domains.

Example configuration for Apache web server:

Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Methods "GET, POST, OPTIONS"
Header set Access-Control-Allow-Headers "Content-Type"

Example configuration for Nginx web server:

add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
add_header Access-Control-Allow-Headers "Content-Type";

Limit the allowed domains: Instead of using a wildcard (*) for the Access-Control-Allow-Origin header, specify the specific domains that are allowed to make cross-origin requests. This helps to prevent unauthorized access from malicious domains.

Example configuration allowing requests only from example.com:
```
Header set Access-Control-Allow-Origin "https://example.com"
```
Enable credentials only when necessary: If the website does not require authenticated AJAX requests, it is recommended to disable the Access-Control-Allow-Credentials header or set it to false. This prevents potential leakage of sensitive information.

Example configuration disabling credentials:
```
Header set Access-Control-Allow-Credentials "false"
```

About

CORS (Cross-Origin Resource Sharing) is a security mechanism implemented by web browsers to control access to resources from different domains. It allows web servers to specify which domains are allowed to make cross-origin requests and what types of requests are allowed.

A misconfiguration in CORS can lead to security vulnerabilities, such as the ability for an attacker to perform AJAX queries to a vulnerable website from a malicious page loaded by the victim’s user agent. This can result in unauthorized access to sensitive information or the execution of malicious actions on behalf of the victim.

Risks

The risks associated with CORS misconfiguration include:

Unauthorized access to sensitive content: If the CORS misconfiguration allows unauthenticated AJAX requests, an attacker can access sensitive content that should only be available to authenticated users. This can include intranet websites or other restricted resources.
Cross-site scripting (XSS) exploitation: A malicious page, whether from a malicious website or a trusted website with flaws, can exploit the CORS misconfiguration to perform cross-site scripting attacks. This can lead to the execution of arbitrary code on the victim’s browser, potentially compromising their data or performing malicious actions.
Man-in-the-middle (MITM) attacks: If the website supports HTTP without Transport Layer Security (TLS), an attacker can inject malicious code into the communication between the victim’s browser and the server. This can be done by intercepting the traffic and modifying the CORS headers to allow requests from the attacker’s domain.

It is important to properly configure CORS to prevent these risks and ensure the security of web applications.