Language: C# | Type: VULNERABILITY | Severity: Major
Tags: cwe, former-hotspot
Setting an overly permissive Cross-Origin Resource Sharing (CORS) policy allows malicious websites to read responses from your application on behalf of authenticated users.
Same-origin policy in browsers prevents JavaScript from
making cross-origin HTTP requests to resources with a different origin (domain, protocol, or port). The Cross-Origin Resource Sharing (CORS) mechanism allows servers to relax this
restriction by including Access-Control-Allow-Origin response headers that tell browsers which origins are permitted.
Setting the Access-Control-Allow-Origin header to a wildcard (*) or dynamically reflecting a user-supplied
Origin header without validation completely disables same-origin protection for the affected resource.
When CORS restrictions are disabled, a malicious website visited by an authenticated user can issue cross-origin requests to the vulnerable application and read the responses. This allows attackers to steal sensitive data accessible to the victim, such as account details, API keys, or private application data.
If the application is also configured with Access-Control-Allow-Credentials: true, the browser will include cookies and HTTP
authentication headers in cross-origin requests. Attackers can then perform authenticated operations on behalf of the victim, potentially leading to
full account takeover or unauthorized data modification.
Set the Access-Control-Allow-Origin header or configure CORS policies with specific trusted origins, and validate user-supplied
origins against an allow-list.
[HttpGet]
public string Get()
{
Response.Headers.Add("Access-Control-Allow-Origin", "*"); // Noncompliant
Response.Headers.Add(HeaderNames.AccessControlAllowOrigin, "*"); // Noncompliant
return "Success";
}
public void ConfigureServices(IServiceCollection services)
{
services.AddCors(options =>
{
options.AddDefaultPolicy(builder =>
{
builder.WithOrigins("*"); // Noncompliant
});
options.AddPolicy(name: "EnableAllPolicy", builder =>
{
builder.WithOrigins("*"); // Noncompliant
});
options.AddPolicy(name: "OtherPolicy", builder =>
{
builder.AllowAnyOrigin(); // Noncompliant
});
});
services.AddControllers();
}
User-controlled origin:
String origin = Request.Headers["Origin"];
Response.Headers.Add("Access-Control-Allow-Origin", origin); // Noncompliant
[HttpGet]
public string Get()
{
Response.Headers.Add("Access-Control-Allow-Origin", "https://trustedwebsite.com");
Response.Headers.Add(HeaderNames.AccessControlAllowOrigin, "https://trustedwebsite.com");
return "Success";
}
public void ConfigureServices(IServiceCollection services)
{
services.AddCors(options =>
{
options.AddDefaultPolicy(builder =>
{
builder.WithOrigins("https://trustedwebsite.com", "https://anothertrustedwebsite.com");
});
options.AddPolicy(name: "EnableAllPolicy", builder =>
{
builder.WithOrigins("https://trustedwebsite.com");
});
});
services.AddControllers();
}
User-controlled origin validated with an allow-list:
String origin = Request.Headers["Origin"];
if (trustedOrigins.Contains(origin))
{
Response.Headers.Add("Access-Control-Allow-Origin", origin);
}
Set the Access-Control-Allow-Origin header or use the EnableCors attribute with specific trusted origins.
public class HomeController : ApiController
{
public HttpResponseMessage Get()
{
var response = HttpContext.Current.Response;
response.Headers.Add("Access-Control-Allow-Origin", "*"); // Noncompliant
response.Headers.Add(HeaderNames.AccessControlAllowOrigin, "*"); // Noncompliant
response.AppendHeader(HeaderNames.AccessControlAllowOrigin, "*"); // Noncompliant
}
}
[EnableCors(origins: "*", headers: "*", methods: "GET")] // Noncompliant
public HttpResponseMessage Get() => new HttpResponseMessage()
{
Content = new StringContent("content")
};
public class HomeController : ApiController
{
public HttpResponseMessage Get()
{
var response = HttpContext.Current.Response;
response.Headers.Add("Access-Control-Allow-Origin", "https://trustedwebsite.com");
response.Headers.Add(HeaderNames.AccessControlAllowOrigin, "https://trustedwebsite.com");
response.AppendHeader(HeaderNames.AccessControlAllowOrigin, "https://trustedwebsite.com");
}
}
[EnableCors(origins: "https://trustedwebsite.com", headers: "*", methods: "GET")]
public HttpResponseMessage Get() => new HttpResponseMessage()
{
Content = new StringContent("content")
};