FixVibe
Covered by FixVibehigh

ZXCVFIKVIBESEG0. CORS Fakahokohoko hala: Ngaahi Fakatu'utamaki 'o e Ngaahi Tu'utu'uni 'oku Fu'u Fakangofua ZXCVFIXVIBESEND ZXCVFIKVIBESEG1. Ako ki he founga 'oku faka'ata ai 'e he CORS misconfigurations 'a e kau 'ohofi ke nau fakalaka 'i he Tu'utu'uni 'o e tupu'anga tatau mo kaiha'asi 'a e fakamatala 'o e tokotaha faka'aonga'i 'oku mahu'inga mei he ngaahi polokalama 'i he uepi 'oku fakatupu 'e he ZXCVFIXVIBETOKEN1ZXCV. ZXCVFIXVIBESEND ZXCVFIKVIBESEG2. Ko e Vahevahe 'o e Ma'u'anga Tokoni 'o e Kolosi-Tupu'anga (CORS) ko ha founga browser kuo fakataumu'a ke fakanonga 'a e Tu'utu'uni 'o e tupu'anga tatau (SOP). Lolotonga 'oku fie ma'u ki he ngaahi polokalama uepi fakaonopooni, fakahoko ta'etotonu-hange ko e echoing 'a e 'ulu'i tohi 'o e tupu'anga 'o e tokotaha kole pe whitelisting 'a e tupu'anga 'null'-'e lava ke faka'ata 'e he ngaahi saiti kovi ke exfiltrate 'a e fakamatala fakafo'ituitui 'o e tokotaha faka'aonga'i. ZXCVFIXVIBESEND ZXCVFIKIVIBESEG3. ## Uesia ZXCVFIXVIBESEND ZXCVFIKVIBESEG4. 'E lava ke kaiha'asi 'e ha tokotaha 'ohofi 'a e ngaahi fakamatala mahu'inga, fakamo'oni'i mei he kau faka'aonga'i 'o ha polokalama 'oku faingata'a'ia CORS. Kapau 'oku 'a'ahi ha taha 'oku ne ngaue'aki ha uepisaiti kovi lolotonga 'ene hu ki he app 'oku faingata'a'ia, 'e lava ke fai 'e he saiti kovi 'a e ngaahi kole kolosi-tupu'anga ki he app 'o e ZXCVFIXVIBETOKEN4ZXCV pea lau 'a e ngaahi tali ZXCVFIXVIBETOKEN1ZXCVZXCVFIXVIBETOKEN2ZXCV. 'E lava ke iku 'eni ki he kaiha'a 'o e fakamatala fakafo'ituitui, kau ai 'a e ngaahi fakamatala 'o e tokotaha faka'aonga'i, ngaahi faka'ilonga CSRF, pe ngaahi fekau fakafo'ituitui ZXCVFIXVIBETOKEN3ZXCV. ZXCVFIXVIBESEND ZXCVFIKVIBESEG5. ## Tupu'anga Tefito ZXCVFIXVIBESEND ZXCVFIKVIBESEG6. ZXCVFIXVIBETOKEN2ZXCV ko ha founga makatu'unga 'i he HTTP-'ulu'i tohi 'oku ne faka'ata 'a e kau seva ke fakapapau'i 'a e tupu'anga (tomeini, polokalama, pe taulanga) 'oku fakangofua ke uta 'a e ngaahi ma'u'anga tokoni CORS. 'Oku angamaheni 'aki 'a e ngaahi vaivai'anga 'oku tupu 'i he taimi 'oku fu'u fe'unga pe kovi hono fakahoko 'o e tu'utu'uni 'a e seva ZXCVFIXVIBETOKEN1ZXCV: ZXCVFIXVIBESEND ZXCVFIKVIBESEG7. * **Faka'ata 'a e tupu'anga 'o e 'ulu'i tohi:** 'Oku lau 'e he kau seva 'e ni'ihi 'a e 'ulu'i tohi 'o e CORS mei ha kole 'a e client pea echo ia 'i he 'ulu'i tohi tali 'o e ZXCVFIXVIBETOKEN1ZXCV (ACAO) ZXCVFIXVIBETOKEN2ZXCV. 'Oku faka'ata lelei 'e he me'a ni ha fa'ahinga uepisaiti ke ma'u 'a e ma'u'anga tokoni ZXCVFIXVIBETOKEN3ZXCV. ZXCVFIXVIBESEND ZXCVFIKIVIBESEG8. * **Ngaahi Wildcards kuo fakalelei'i hala:** Lolotonga 'oku faka'ata 'e he wildcard CORS ha tupu'anga ke ma'u ha ma'u'anga tokoni, 'e 'ikai lava ke faka'aonga'i ia ki he ngaahi kole 'oku fie ma'u 'a e ngaahi fakamo'oni (hange ko e ngaahi kuki pe ngaahi 'ulu'i tohi Fakamafai'i) ZXCVFIXVIBETOKEN1ZXCV. 'Oku fa'a feinga 'a e kau fakalakalaka ke fakalaka 'i he me'a ni 'aki hono fakatupu 'o e dynamically 'a e 'ulu'i tohi 'o e ACAO 'o makatu'unga 'i he kole ZXCVFIXVIBETOKEN2ZXCV. ZXCVFIXVIBESEND ZXCVFIKVIBESEG9. * **Whitelisting 'null':** 'Oku lisi hinehina 'e he ngaahi polokalama 'e ni'ihi 'a e tupu'anga 'o e CORS, 'a ia 'e lava ke fakatupu 'e he ngaahi kole 'oku toe fakahinohino'i pe ngaahi faile fakalotofonua, 'o faka'ata 'a e ngaahi saiti kovi ke masquerade ko ha tupu'anga 'o e ZXCVFIXVIBETOKEN1ZXCV ke ma'u 'a e 'alunga . ZXCVFIXVIPETOKENI2ZXCVZXCVFIKIVIPETOKENI3ZXCV. ZXCVFIXVIBESEND ZXCVFAKATOKANGAVIBESEG10 * **Parsing Errors:** Ngaahi fehalaaki 'i he regex pe 'o e aho 'i he taimi 'oku fakamo'oni'i ai 'a e 'ulu'i tohi 'e lava ke faka'ata 'e he kau 'ohofi ke nau faka'aonga'i 'a e ngaahi domain hange ko e ZXCVFIXVIBETOKEN1ZXCV ZXCVFIXVIBETOKEN2ZXCV. ZXCVFIXVIBESEND ZXCVFAKATOKANGAVIBESEG11 'Oku mahu'inga ke fakatokanga'i 'oku 'ikai ko ha malu'i 'a e ZXCVFIXVIBETOKEN1ZXCV mei he Kolosi-Saiti Kole Loi (CSRF) CORS. ZXCVFIXVIBESEND ZXCVFAKATOKANGAVIBESEG12 ## Ngaahi Fakalelei'i Sima ZXCVFIXVIBESEND ZXCVFAKATOKANGAVIBESEG13 * **Ngaue'aki ha Lisi Hinehina 'o e Static:** Faka'ehi'ehi mei he dynamically fakatupu 'o e 'ulu'i tohi CORS mei he 'ulu'i tohi ZXCVFIXVIBETOKEN1ZXCV 'o e kole 'o e ZXCVFIXVIBETOKEN2ZXCV. Ka, fakafehoanaki 'a e tupu'anga 'o e kole ki ha lisi hardcoded 'o e ngaahi domain falala'anga ZXCVFIXVIBETOKEN3ZXCV. ZXCVFIXVIBESEND ZXCVFIKVIPESEG14 * **Faka'ehi'ehi mei he 'null' Tupu'anga:** 'Oua 'aupito na'a ke fakakau 'a e CORS 'i ho'o lisi hinehina 'o e ngaahi tupu'anga 'oku fakangofua ZXCVFIXVIBETOKEN1ZXCV. ZXCVFIXVIBESEND ZXCVFIKVIPESEG15 * **Fakangatangata 'a e ngaahi fakamo'oni:** Seti pe 'a e CORS kapau 'oku fie ma'u 'aupito ki he fetu'utaki kolosi-tupu'anga pau ZXCVFIXVIBETOKEN1ZXCV. ZXCVFIXVIBESEND ZXCVFAKATOKANGAVIBESEG16 * **Ngaue'aki 'a e Fakamo'oni Totonu:** Kapau kuo pau ke ke poupou'i 'a e ngaahi tupu'anga lahi, fakapapau'i 'oku malohi 'a e logic 'o e fakamo'oni ki he 'ulu'i tohi CORS pea 'oku 'ikai lava ke fakalaka 'i he ngaahi subdomains pe ngaahi domain 'oku 'asi tatau ZXCVFIXVIBETOKEN1ZXCV. ZXCVFIXVIBESEND ZXCVFIKVIPESEG17 ## Founga 'oku sivi'i ai 'e he CORS ki ai ZXCVFIXVIBESEND ZXCVFAKATOKANGAVIBESEG18 ZXCVFIXVIBETOKEN1ZXCV 'oku fakakau 'eni he taimi ni ko ha sieke 'oku ngaue 'a e gated. Hili hono fakamo'oni'i 'o e domain, 'Oku 'ave 'e he CORS 'a e ngaahi kole 'o e tupu'anga tatau 'o e ZXCVFIXVIBETOKEN2ZXCV mo ha tupu'anga 'o e 'ohofi synthetic mo e ngaahi vakai'i 'o e ngaahi 'ulu'i tali 'o e ZXCVFIXVIBETOKEN4ZXCV. 'Oku ne lipooti 'oku fakahaa'i 'a e tupu'anga fakatu'upakee, wildcard fakamo'oni'i ZXCVFIXVIBETOKEN5ZXCV, mo e ZXCVFIXVIBETOKEN6ZXCV 'oku fakaava lahi 'i he ngaahi ngata'anga 'o e ZXCVFIXVIBETOKEN3ZXCV 'ikai fakapule'anga lolotonga hono faka'ehi'ehi mei he longoa'a 'o e koloa fakapule'anga.

Cross-Origin Resource Sharing (CORS) is a browser mechanism designed to relax the Same-Origin Policy (SOP). While necessary for modern web apps, improper implementation—such as echoing the requester's Origin header or whitelisting the 'null' origin—can allow malicious sites to exfiltrate private user data.

CWE-942

Impact

An attacker can steal sensitive, authenticated data from users of a vulnerable application [S2]. If a user visits a malicious website while logged into the vulnerable app, the malicious site can make cross-origin requests to the app's API and read the responses [S1][S2]. This can lead to the theft of private information, including user profiles, CSRF tokens, or private messages [S2].

Root Cause

CORS is an HTTP-header based mechanism that allows servers to specify which origins (domain, scheme, or port) are permitted to load resources [S1]. Vulnerabilities typically arise when a server's CORS policy is too flexible or poorly implemented [S2]:

  • Reflected Origin Header: Some servers read the Origin header from a client request and echo it back in the Access-Control-Allow-Origin (ACAO) response header [S2]. This effectively allows any website to access the resource [S2].
  • Misconfigured Wildcards: While the * wildcard allows any origin to access a resource, it cannot be used for requests that require credentials (like cookies or Authorization headers) [S3]. Developers often try to bypass this by dynamically generating the ACAO header based on the request [S2].
  • Whitelisting 'null': Some applications whitelist the null origin, which can be triggered by redirected requests or local files, allowing malicious sites to masquerade as a null origin to gain access [S2][S3].
  • Parsing Errors: Mistakes in regex or string matching when validating the Origin header can allow attackers to use domains like trusted-domain.com.attacker.com [S2].

It is important to note that CORS is not a protection against Cross-Site Request Forgery (CSRF) [S2].

Concrete Fixes

  • Use a Static Whitelist: Avoid dynamically generating the Access-Control-Allow-Origin header from the request's Origin header [S2]. Instead, compare the request's origin against a hardcoded list of trusted domains [S3].
  • Avoid the 'null' Origin: Never include null in your whitelist of allowed origins [S2].
  • Restrict Credentials: Only set Access-Control-Allow-Credentials: true if absolutely necessary for the specific cross-origin interaction [S3].
  • Use Proper Validation: If you must support multiple origins, ensure the validation logic for the Origin header is robust and cannot be bypassed by subdomains or similar-looking domains [S2].

How FixVibe tests for it

FixVibe now includes this as a gated active check. After domain verification, active.cors sends same-origin API requests with a synthetic attacker origin and reviews CORS response headers. It reports reflected arbitrary origins, wildcard credentialed CORS, and wide-open CORS on non-public API endpoints while avoiding public asset noise.