Too Broad Cors Policy

By default, same-origin policy blocks cross-origin HTTP requests initiated by scripts. There are several use cases that require cross-origin script access; for example, Content Delivery Networks (CDNs) that provide hosting for JavaScript/CSS libraries and public API endpoints. However, cross-origin access presents a major security risk and must be carefully controlled.

This detector aims to pinpoint scenarios where Cross-Origin Resource Sharing (CORS) policies are excessively permissive, potentially exposing the application to cross-origin attacks.

More specifically this detector identifies configurations that improperly set values for the Access-Control-Allow-Origin HTTP header.

Cross-Origin Resource Sharing (CORS) is a fundamental security feature that controls how resources can be requested from a different domain.

This vulnerability arises when the Origin header is set to overly permissive values such as * or null, which effectively allows any domain to access resources, bypassing the intended security restrictions. This can lead to undesired information disclosure or unauthorized actions through a variety of attack vectors.

In addition, dynamically reflecting origins (e.g. the Origin request header) from cross-origin requests without strict validation should be avoided, as it is readily exploitable.

Consider a PHP application with the following permissive CORS configuration:

This configuration does not restrict which domains can interact with the resources, potentially exposing sensitive data to malicious domains.

To remediate this vulnerability, it is crucial to tighten the CORS policy by explicitly specifying trusted domains or origins that are permitted to interact with the application. This minimizes unauthorized access and limits the exposure to potential attacks.

Here are practical steps for safer CORS configuration in web applications:

The detector has the following configurable parameters: