CORS Wildcard Origin Allowed

Cross Origin Resource Sharing (CORS) is a way to punch hole in the security brought by a browser. If it is not done carefully, it may result into security vulnerabilities. CORS is an HTTP-header that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources. `*` can be set by server any allow any origin. This can be abused by an adversary to send cross-origin request from any origin and access the resources for secondary attack.

NOTE: Modern browsers no longer allow `*` origin with a request that has credentials (cookie header).

Remediation

Do not allow `*` origin.
Specify domains from which requests are allowed.

Metadata

Severity: informational
Slug: cors-wildcard-origin-allowed

CWEs

346: Origin Validation Error

OWASP

A07:2021: Identification and Authentication Failures

Available Labs

Select a language to explore available labs for this vulnerability.

1 Lab

Javascript Labs

Javascript 1 lab

Explore 1 lab in Javascript.

1 Lab

Typescript Labs

Typescript 1 lab

Explore 1 lab in Typescript.

No matching labs found

Try adjusting your language filter.

Play AppSec WarGames

Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.

For Companies Play Now

Got a comment?

Join our secure coding and AppSec community. A discussion board to share and discuss all aspects of secure programming, AppSec, DevSecOps, fuzzing, cloudsec, AIsec code review, and more.