Details
Alert ID 10098
Alert Type Passive
Status release
Risk Medium
CWE 264
WASC 14
Technologies Targeted All
Tags CWE-264
OWASP_2017_A05
OWASP_2021_A01
More Info Scan Rule Help

Summary

Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server.

Solution

Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance). Configure the "Access-Control-Allow-Origin" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.

Other Info

The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.

References

Code

org/zaproxy/zap/extension/pscanrules/CrossDomainMisconfigurationScanRule.java