CORS Misconfiguration

XMLWordPrintable

    • Type: Task
    • Resolution: Unresolved
    • Priority: Medium
    • 3.8.0
    • Affects Version/s: None
    • FLW Sprint 37, FLW Sprint 38, FLW Sprint 39, FLW Sprint 40
    • FLW Mobile App
    • All

      CORS policy allows arbitrary origins or is too permissive.

      Impact:
      Enables cross-site attacks and unauthorized access from malicious websites.

      Vulnerability Name Vulnerable URL CVE/CWE CVSS Score Overall Risk
      (Severity)      		 Observation / Description Impact Recommendation Reference Steps to reproduce
      https://dev.abdm.gov.in/api/hiecm/gateway/v3/sessions CORS CWE-942 3.5 Low Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources. CORS also relies on a mechanism by which browsers make a “preflight” request to the server hosting the cross-origin resource, in order to check that the server will permit the actual request. In that preflight, the browser sends headers that indicate the HTTP method and headers that will be used in the actual request. A CORS misconfiguration can leave the application at a high-risk of compromise resulting in an impact on the confidentiality and integrity of data by allowing third-party sites to carry out privileged requests through your web site's authenticated users such as retrieving user setting information. To mitigate the risk of CORS, we always recommend whitelisting your Access-Control-Allow-Origin instead of wildcarding. Using a wildcard prefix such as *.yoursite.com makes it more difficult for the attackers given they would need to find a vulnerability (such as cross-site scripting or cross-site request forgery) to issue the cross-origin request. However, it is frowned upon because it does not provide the critical need-to-know security control. With whitelisting, the scope of your Access-Control-Allow-Origin will be limited to only the sites that deal directly with your primary site or API and exclude any of your sites that do not. https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/07-Testing_Cross_Origin_Resource_Sharing Step 1:During security assessment, in the initial step, we intercepted the request using Burp Suite. Through this interception, we confirmed that the domain was vulnerable to CORS. Subsequently, by inspecting the HTTP response, we observed that the CORS allow wildcard was misconfigured, exposing the system to potential security risks.

              Assignee:
              Shashank Kharkwal
              Reporter:
              Shashank Kharkwal
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: