JavaScript : Unsafe cross-origin resource sharing (CORS) policy

Classification

OWASP Top 10 2013 A5-Security Misconfiguration OWASP Top 10 2017 A5-Broken Access Control A6-Security Misconfiguration OWASP Top 10 2021 A1-Broken Access Control A5-Security Misconfiguration A4-Insecure Design A8-Software and Data Integrity Failures OWASP ASVS Configuration Configuration CWE CWE-183 CWE-345 CWE-346 CWE-451 CWE-942 CWE-1031

Overview

Insecure CORS configuration may lead to the data being compromised.

CORS (Cross Origin Resource Policy) is a defined in the HTML5 standard mechanism that enables JavaScript code to work with data from another domain. CORS parameters must be defined in the Access-Control-Allow-Origin HTTP header.

CORS parameter that was defined not precisely enough may lead to the application data being compromised.

References

  1. OWASP Top 10 2017-A5-Broken Access Control
  2. OWASP: HTML5 Security Cheat Sheet
  3. Cross-Origin Resource Sharing - w3.org
  4. CWE CATEGORY: OWASP Top Ten 2017 Category A5 - Broken Access Control
  5. CWE-346
  6. CWE-942