CORS Policy is too broad

javascript.too_broad_cors_policy

Severity

critical

Resource

Misconfiguration

Language

JavaScript

Description

By default, same-origin policy blocks cross-origin HTTP requests initiated by scripts. There are several use cases that require cross-origin script access; for example, Content Delivery Networks (CDNs) that provide hosting for JavaScript/CSS libraries and public API endpoints. However, cross-origin access presents a major security risk and must be carefully controlled.

This detector aims to pinpoint scenarios where Cross-Origin Resource Sharing (CORS) policies are excessively permissive, potentially exposing the application to cross-origin attacks.

More specifically this detector identifies configurations that improperly set values for the Access-Control-Allow-Origin HTTP header.

Rationale

Cross-Origin Resource Sharing (CORS) is a fundamental security feature that controls how resources can be requested from a different domain.

This vulnerability arises when the Origin header is set to overly permissive values such as * or null, which effectively allows any domain to access resources, bypassing the intended security restrictions. This can lead to undesired information disclosure or unauthorized actions through a variety of attack vectors.

In addition, dynamically reflecting origins (e.g. the Origin request header) from cross-origin requests without strict validation should be avoided, as it is readily exploitable.

The following example reflects the Origin without any validation:

const express = require('express');
const cors = require('cors');
const app = express();

/*
 * Dangerous CORS configuration: reflects Origin header without validation.
 * In addition, allows cross-domain credentials sharing.
 */
app.use((req, res, next) => {
  const origin = req.headers.origin;
  res.setHeader('Access-Control-Allow-Origin', origin); // FLAW
  res.setHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE');
  res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization');
  res.setHeader('Access-Control-Allow-Credentials', 'true');
  next();
});

Remediation

To remediate this vulnerability, it is crucial to tighten the CORS policy by explicitly specifying trusted domains or origins that are permitted to interact with the application. This minimizes unauthorized access and limits the exposure to potential attacks.

Here are practical steps for safer CORS configuration in web applications:

Identify the trusted domains that require cross-origin access to your resources and specify them explicitly instead of using a wildcard character.
Use configuration files or security frameworks to centralize and manage CORS settings to ensure consistency across your application.
Regularly review and update the list of allowed origins based on your current security requirements and business needs.

In frameworks such as Express.js, CORS can be configured at the router level using middlewares such as cors, which allows for fine-grained control over the allowed origins and methods.

Configuration

The detector has the following configurable parameters:

tooBroadOriginPattern, that indicates the regex used to determine if the origin is too broad.

References

CWE-942 : Permissive Cross-domain Policy with Untrusted Domains.
OWASP - Top 10 2021 Category A05 : Security Misconfiguration.
MDN on CORS configuration.
PortSwigger on CORS.
Exploiting CORS misconfigurations for Bitcoins and bounties.