CORS null Origin Allowed

Cross Origin Resource Sharing (CORS) is a way to punch hole in the security brought by a browser. If it is not done carefully, it may result into security vulnerabilities. CORS is an HTTP-header that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources. null can be set by server for various reasons including support for local development. However, whitelisting null could be dangerous as some crafted requests e.g. iframe can have null origin and allows an adversary to access the resource cross-domain.

Remediation

Do not set null origin.

Metadata

Severity: informational
Slug: cors-null-origin-allowed

CWEs

346: Origin Validation Error

OWASP

A07:2021: Identification and Authentication Failures

Available Labs

Open Javascript labs in SecDim Play for this vulnerability.

easy

CORS.js

JavaScript Easy Signature

Play AppSec WarGames

Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.

For Companies Play Now

Got a comment?

Join our secure coding and AppSec community. A discussion board to share and discuss all aspects of secure programming, AppSec, DevSecOps, fuzzing, cloudsec, AIsec code review, and more.