CORS 配置错误：政策过于宽松的风险 ZXCVFIXVIBESEND ZXCVFIXVIBESEG1 了解 CORS 错误配置如何允许攻击者绕过同源策略并从 ZXCVFIXVIBETOKEN1ZXCV 生成的 Web 应用程序窃取敏感用户数据。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG2 跨源资源共享（CORS）是一种旨在放宽同源策略（SOP）的浏览器机制。虽然对于现代 Web 应用程序来说是必要的，但不正确的实施（例如回显请求者的 Origin 标头或将“空”来源列入白名单）可能会允许恶意网站窃取私人用户数据。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG3 ## 影响 ZXCVFIXVIBESEND ZXCVFIXVIBESEG4 攻击者可以从易受攻击的应用程序 CORS 的用户那里窃取敏感的、经过身份验证的数据。如果用户在登录易受攻击的应用程序时访问恶意网站，则恶意网站可以向应用程序的 ZXCVFIXVIBETOKEN4ZXCV 发出跨域请求并读取响应 ZXCVFIXVIBETOKEN1ZXCVZXCVFIXVIBETOKEN2ZXCV。这可能会导致私人信息被盗，包括用户配置文件、CSRF 令牌或私人消息 ZXCVFIXVIBETOKEN3ZXCV。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG5 ## 根本原因 ZXCVFIXVIBESEND ZXCVFIXVIBESEG6 ZXCVFIXVIBETOKEN2ZXCV 是一种基于 HTTP 标头的机制，允许服务器指定允许哪些来源（域、方案或端口）加载资源 CORS。当服务器的 ZXCVFIXVIBETOKEN3ZXCV 策略过于灵活或 ZXCVFIXVIBETOKEN1ZXCV 实施不善时，通常会出现漏洞： ZXCVFIXVIBESEND ZXCVFIXVIBESEG7 * **反射的原始标头：** 某些服务器从客户端请求中读取 CORS 标头，并将其回显在 ZXCVFIXVIBETOKEN1ZXCV (ACAO) 响应标头 ZXCVFIXVIBETOKEN2ZXCV 中。这有效地允许任何网站访问资源 ZXCVFIXVIBETOKEN3ZXCV。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG8 * **配置错误的通配符：** 虽然 CORS 通配符允许任何来源访问资源，但它不能用于需要凭据（如 cookie 或授权标头）ZXCVFIXVIBETOKEN1ZXCV 的请求。开发人员经常尝试根据请求 ZXCVFIXVIBETOKEN2ZXCV 动态生成 ACAO 标头来绕过此问题。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG9 * **将“null”列入白名单：**某些应用程序将 CORS 源列入白名单，该源可以通过重定向请求或本地文件触发，从而允许恶意站点伪装成 ZXCVFIXVIBETOKEN1ZXCV 源来获取 ZXCVFIXVIBETOKEN2ZXCVZXCVFIXVIBETOKEN3ZXCV 的访问权限。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG10 * **解析错误：** 验证 CORS 标头时正则表达式或字符串匹配中的错误可能允许攻击者使用 ZXCVFIXVIBETOKEN1ZXCV ZXCVFIXVIBETOKEN2ZXCV 等域。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG11 需要注意的是，ZXCVFIXVIBETOKEN1ZXCV 并不能防止跨站请求伪造 (CSRF) CORS。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG12 ## 具体修复 ZXCVFIXVIBESEND ZXCVFIXVIBESEG13 * **使用静态白名单：** 避免从请求的 ZXCVFIXVIBETOKEN1ZXCV 标头 ZXCVFIXVIBETOKEN2ZXCV 动态生成 CORS 标头。相反，将请求的来源与受信任域 ZXCVFIXVIBETOKEN3ZXCV 的硬编码列表进行比较。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG14 * **避免“空”来源：** 切勿将 CORS 包含在允许来源 ZXCVFIXVIBETOKEN1ZXCV 的白名单中。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG15 * **限制凭证：** 如果特定跨源交互 ZXCVFIXVIBETOKEN1ZXCV 绝对必要，则仅设置 CORS。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG16 * **使用正确的验证：** 如果您必须支持多个来源，请确保 CORS 标头的验证逻辑稳健，并且不能被子域或类似域 ZXCVFIXVIBETOKEN1ZXCV 绕过。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG17 ## CORS 如何测试它 ZXCVFIXVIBESEND ZXCVFIXVIBESEG18 ZXCVFIXVIBETOKEN1ZXCV 现在将此作为门控主动检查。域验证后，CORS 发送具有合成攻击者来源的同源 ZXCVFIXVIBETOKEN2ZXCV 请求，并审查 ZXCVFIXVIBETOKEN4ZXCV 响应标头。它报告反映了非公共 ZXCVFIXVIBETOKEN3ZXCV 端点上的任意来源、通配符认证的 ZXCVFIXVIBETOKEN5ZXCV 和完全开放的 ZXCVFIXVIBETOKEN6ZXCV，同时避免了公共资产噪音。

Impact

An attacker can steal sensitive, authenticated data from users of a vulnerable application [S2]. If a user visits a malicious website while logged into the vulnerable app, the malicious site can make cross-origin requests to the app's API and read the responses [S1][S2]. This can lead to the theft of private information, including user profiles, CSRF tokens, or private messages [S2].

Root Cause

CORS is an HTTP-header based mechanism that allows servers to specify which origins (domain, scheme, or port) are permitted to load resources [S1]. Vulnerabilities typically arise when a server's CORS policy is too flexible or poorly implemented [S2]:

• Reflected Origin Header: Some servers read the Origin header from a client request and echo it back in the Access-Control-Allow-Origin (ACAO) response header [S2]. This effectively allows any website to access the resource [S2].
• Misconfigured Wildcards: While the * wildcard allows any origin to access a resource, it cannot be used for requests that require credentials (like cookies or Authorization headers) [S3]. Developers often try to bypass this by dynamically generating the ACAO header based on the request [S2].
• Whitelisting 'null': Some applications whitelist the null origin, which can be triggered by redirected requests or local files, allowing malicious sites to masquerade as a null origin to gain access [S2][S3].
• Parsing Errors: Mistakes in regex or string matching when validating the Origin header can allow attackers to use domains like trusted-domain.com.attacker.com [S2].

It is important to note that CORS is not a protection against Cross-Site Request Forgery (CSRF) [S2].

Concrete Fixes

• Use a Static Whitelist: Avoid dynamically generating the Access-Control-Allow-Origin header from the request's Origin header [S2]. Instead, compare the request's origin against a hardcoded list of trusted domains [S3].
• Avoid the 'null' Origin: Never include null in your whitelist of allowed origins [S2].
• Restrict Credentials: Only set Access-Control-Allow-Credentials: true if absolutely necessary for the specific cross-origin interaction [S3].
• Use Proper Validation: If you must support multiple origins, ensure the validation logic for the Origin header is robust and cannot be bypassed by subdomains or similar-looking domains [S2].

How FixVibe tests for it

FixVibe now includes this as a gated active check. After domain verification, active.cors sends same-origin API requests with a synthetic attacker origin and reviews CORS response headers. It reports reflected arbitrary origins, wildcard credentialed CORS, and wide-open CORS on non-public API endpoints while avoiding public asset noise.