Permissive Cross-Domain Policy with Untrusted Domains
Description
This application potentially allows user-supplied input into the value of the `Access-Control-Allow-Origin` response header, which is part of the Cross-Origin Resource Sharing (CORS) specification. An adversary could exploit a weakness in this server to force clients to send credentials to the adversary's server. To remediate this issue, do not use user-supplied information when calling `HttpServletResponse.setHeader` or `HttpServletResponse.addHeader` for the `Access-Control-Allow-Origin` header's value.
Examples
Insecure Code
response.addHeader("Access-Control-Allow-Origin", request.getParameter("domain"));Secure Code
Map<String, String> allowedDomains = new HashMap();
allowedDomains.put("sub1", "sub1.example.com");
String headerValue = allowedDomains.getOrDefault(request.getParameter("allowedDomain"), allowedDomains.get("sub1"));
response.addHeader("Access-Control-Allow-Origin", headerValue);Remediation
Hardcode the allowed domain(s) and reference them in a lookup table. Use a trusted data source to store the allowed domains and extract the allowed domain parameter value as a key to look up which domain to provide via the allowed domains map.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0684 |
| Category | Web |
| Severity | MEDIUM |
| CWE | CWE-942 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | CORS, Cross-Origin Resource Sharing |
| OWASP | A1:2017-Injection, A03:2021-Injection |