Covered by FixVibehigh

. CORS Feil uppseting: Váði fyri ov loyvdum politikki ZXCVFIXVIBESEND ZXCVFIXVIBESEG1. Lær hvussu CORS feilkonfiguratiónir loyva álopsmonnum at umganga Same-Origin-politikkin og stjala viðkvæmar brúkaradátur frá ZXCVFIXVIBETOKEN1ZXCV-genereraðum vevforritum. ZXCVFIXVIBESEND ZXCVFIXVIBESEG2. Tilfeingisdeiling tvørtur um uppruna (CORS) er ein kagamekanisme, sum er gjørdur til at slaka í politikkinum um sama uppruna (SOP). Meðan tað er neyðugt fyri nútímans vevforrit, kann óhóskandi implementering – so sum at ekkoa Origin-høvdið hjá umsøkjaranum ella at hvítlista 'null' uppruna - loyva illgrunasamum síðum at útfiltrera privatar brúkaradátur. ZXCVFIXVIBESEND ZXCVFIXVIBESEG3. ## Ávirkan ZXCVFIXVIBESEND ZXCVFIXVIBESEG4. Ein álopsmaður kann stjala viðkvæmar, góðkendar dátur frá brúkarum av einum viðbreknum forriti CORS. Um ein brúkari vitjar eina illgrunasama heimasíðu, meðan hann er innritaður inn á sárbæru appina, kann illviljaða síðan gera tvør-upprunafyrispurningar til ZXCVFIXVIBETOKEN4ZXCV í appini og lesa svarini ZXCVFIXVIBETOKEN1ZXCVZXCVFIXVIBETOKEN2ZXCV. Hetta kann føra til stuldur av privatum upplýsingum, eitt nú brúkaraprofilum, CSRF-merkjum ella privatum boðum ZXCVFIXVIBETOKEN3ZXCV. ZXCVFIXVIBESEND ZXCVFIXVIBESEG5. ## Rótorsøk ZXCVFIXVIBESEND ZXCVFIXVIBESEG6. ZXCVFIXVIBETOKEN2ZXCV er ein HTTP-høvuðsgrundaður mekanisma, sum ger, at ambætarar kunnu tilskila, hvør uppruna (øki, skipan ella portur) er loyvdur at heinta tilfeingi CORS. Sárbarleikar koma vanliga upp, tá politikkurin hjá einum ambætara er ov fleksibul ella illa implementeraður: ZXCVFIXVIBESEND ZXCVFIXVIBESEG7. * Endurspeglað upprunahøvd: Summir ambætarar lesa CORS høvdið frá eini kundaumbøn og ekko tað aftur í ZXCVFIXVIBETOKEN1ZXCV (ACAO) svarhøvdið ZXCVFIXVIBETOKEN2ZXCV. Hetta ger í roynd og veru, at ein og hvør heimasíða kann fáa atgongd til tilfeingið ZXCVFIXVIBETOKEN3ZXCV. ZXCVFIXVIBESEND ZXCVFIXVIBESEG8. * Skeiv uppsett stríðmerki: Meðan stríðkortið CORS loyvir øllum uppruna at fáa atgongd til eitt tilfeingi, kann tað ikki brúkast til áheitanir, sum krevja trúnaðarupplýsingar (sum farspor ella heimildarhøvd) ZXCVFIXVIBETOKEN1ZXCV. Forritarar royna ofta at umganga hetta við dynamiskt at gera ACAO-høvdið grundað á umbønina ZXCVFIXVIBETOKEN2ZXCV. ZXCVFIXVIBESEND ZXCVFIXVIBESEG9. * Hvítlista 'null': Summi forrit hvítlista CORS uppruna, sum kann útloysast av umleggjaðum fyrispurningum ella lokalum fílum, soleiðis at illgrunasamar síður kunnu maskera seg sum ein ZXCVFIXVIBETOKEN1ZXCV uppruna fyri at fáa atgongd ZXCVVIXVÍBETØKN2ZXCVZXCVVIXVIBETØKN3ZXCV. ZXCVFIXVIBESEND ZXCVFIXVIBESEG10 * Parsing Feilir: Feilir í regex ella streingjasamsvar tá ið høvdið verður validerað, kunnu loyva álopsmonnum at brúka øki sum ZXCVFIXVIBETOKEN1ZXCV ZXCVFIXVIBETOKEN2ZXCV. ZXCVFIXVIBESEND ZXCVFIXVIBESEG11 Tað er umráðandi at leggja til merkis, at ZXCVFIXVIBETOKEN1ZXCV ikki er ein vernd móti falsan av fyrispurningum tvørtur um síður (CSRF) CORS. ZXCVFIXVIBESEND ZXCVFIXVIBESEG12 ## Betongviðgerðir ZXCVFIXVIBESEND ZXCVFIXVIBESEG13 * Brúka ein statiskan hvítalista: Slepp undan at dynamiskt gera CORS-høvdið úr ZXCVFIXVIBETOKEN1ZXCV-høvdinum ZXCVFIXVIBETOKEN2ZXCV í fyrispurninginum. Samanber í staðin uppruna umbøninar við ein harðkoddaðan lista yvir álítandi øki ZXCVFIXVIBETOKEN3ZXCV. ZXCVFIXVIBESEND ZXCVFIXVIBESEG14 * Slepp undan 'null' Uppruna: Ongantíð hava CORS við á tín hvítalista yvir loyvdar uppruna ZXCVFIXVIBETOKEN1ZXCV. ZXCVFIXVIBESEND ZXCVFIXVIBESEG15 * Avmarka prógv: Set bert CORS um tað er alneyðugt fyri ávísu tvørupprunasamvirkanina ZXCVFIXVIBETOKEN1ZXCV. ZXCVFIXVIBESEND ZXCVFIXVIBESEG16 * Brúka rætta staðfesting: Um tú skalt stuðla fleiri uppruna, skalt tú tryggja tær, at staðfestingarlogikkurin fyri CORS høvdið er sterkur og ikki kann umgangast av undirøkjum ella líknandi útsjóndarøkjum ZXCVFIXVIBETOKEN1ZXCV. ZXCVFIXVIBESEND ZXCVFIXVIBESEG17 ## Hvussu CORS roynir fyri tí ZXCVFIXVIBESEND ZXCVFIXVIBESEG18 ZXCVFIXVIBETOKEN1ZXCV inniheldur nú hetta sum ein gated virknan ávísing. Eftir økisváttan sendir CORS fyrispurningar við sama uppruna við syntetiskum álopsmannsuppruna og gjøgnumgongur ZXCVFIXVIBETOKEN4ZXCV svarhøvd. Tað greiðir frá endurspeglaðum valfríum uppruna, wildcard-góðkennum ZXCVFIXVIBETOKEN5ZXCV, og víðopnum ZXCVFIXVIBETOKEN6ZXCV á ikki-almennum ZXCVFIXVIBETOKEN3ZXCV endapunktum, samstundis sum slepst undan almennum ognarlarmi.

Cross-Origin Resource Sharing (CORS) is a browser mechanism designed to relax the Same-Origin Policy (SOP). While necessary for modern web apps, improper implementation—such as echoing the requester's Origin header or whitelisting the 'null' origin—can allow malicious sites to exfiltrate private user data.

CWE-942

Impact

An attacker can steal sensitive, authenticated data from users of a vulnerable application [S2]. If a user visits a malicious website while logged into the vulnerable app, the malicious site can make cross-origin requests to the app's API and read the responses [S1][S2]. This can lead to the theft of private information, including user profiles, CSRF tokens, or private messages [S2].

Root Cause

CORS is an HTTP-header based mechanism that allows servers to specify which origins (domain, scheme, or port) are permitted to load resources [S1]. Vulnerabilities typically arise when a server's CORS policy is too flexible or poorly implemented [S2]:

Reflected Origin Header: Some servers read the Origin header from a client request and echo it back in the Access-Control-Allow-Origin (ACAO) response header [S2]. This effectively allows any website to access the resource [S2].
Misconfigured Wildcards: While the * wildcard allows any origin to access a resource, it cannot be used for requests that require credentials (like cookies or Authorization headers) [S3]. Developers often try to bypass this by dynamically generating the ACAO header based on the request [S2].
Whitelisting 'null': Some applications whitelist the null origin, which can be triggered by redirected requests or local files, allowing malicious sites to masquerade as a null origin to gain access [S2][S3].
Parsing Errors: Mistakes in regex or string matching when validating the Origin header can allow attackers to use domains like trusted-domain.com.attacker.com [S2].

It is important to note that CORS is not a protection against Cross-Site Request Forgery (CSRF) [S2].

Concrete Fixes

Use a Static Whitelist: Avoid dynamically generating the Access-Control-Allow-Origin header from the request's Origin header [S2]. Instead, compare the request's origin against a hardcoded list of trusted domains [S3].
Avoid the 'null' Origin: Never include null in your whitelist of allowed origins [S2].
Restrict Credentials: Only set Access-Control-Allow-Credentials: true if absolutely necessary for the specific cross-origin interaction [S3].
Use Proper Validation: If you must support multiple origins, ensure the validation logic for the Origin header is robust and cannot be bypassed by subdomains or similar-looking domains [S2].

How FixVibe tests for it

FixVibe now includes this as a gated active check. After domain verification, active.cors sends same-origin API requests with a synthetic attacker origin and reviews CORS response headers. It reports reflected arbitrary origins, wildcard credentialed CORS, and wide-open CORS on non-public API endpoints while avoiding public asset noise.