CORS null Origin Allowed

Cross Origin Resource Sharing (CORS) is a way to punch hole in the security brought by a browser. If it is not done carefully, it may result into security vulnerabilities. CORS is an HTTP-header that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources. `null` can be set by server for various reasons including support for local development. However, whitelisting `null` could be dangerous as some crafted requests e.g. `iframe` can have `null` origin and allows an adversary to access the resource cross-domain.

Remediation

Do not set `null` origin.

Metadata

Severity: informational
Slug: cors-null-origin-allowed

CWEs

346: Origin Validation Error

OWASP

A07:2021: Identification and Authentication Failures

Available Labs

Open Typescript labs in SecDim Play for this vulnerability.

easy

CORS.ts

TypeScript Easy Signature

Play AppSec WarGames

Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.

For Companies Play Now

Got a comment?

Join our secure coding and AppSec community. A discussion board to share and discuss all aspects of secure programming, AppSec, DevSecOps, fuzzing, cloudsec, AIsec code review, and more.