Permissive Cross-domain Policy with Untrusted Domains (CWE-942)

Permissive Cross-domain Policy with Untrusted Domains

The product uses a cross-domain policy file that includes domains that should not be trusted.

A cross-domain policy file specifies the permissions for a web client to handle data across multiple domains. When overly permissive settings are used, malicious sites can abuse these permissions to access sensitive data or perform unauthorized actions on behalf of the user.

Verbreitung

Hoch

Häufig ausgenutzt

Auswirkung

Hoch

1 Regeln mit hohem Schweregrad

Prävention

Dokumentiert

9 Fix-Beispiele

2 Prävention

So behebst du diese Schwachstelle

🐍 Python Alle anzeigen Python Details →

FastAPI CORS Misconfiguration MEDIUM

Restrict CORS to specific trusted origins instead of wildcard '*'

+3 -3 python

  from fastapi import FastAPI
  from fastapi.middleware.cors import CORSMiddleware
  
  app = FastAPI()
  app.add_middleware(
      CORSMiddleware,
-     allow_origins=["*"],
-     allow_credentials=True,
-     allow_methods=["*"],
+     allow_origins=["https://example.com", "https://app.example.com"],
+     allow_credentials=True,
+     allow_methods=["GET", "POST"],
  )

Flask CORS Misconfiguration MEDIUM

Restrict Flask-CORS to specific trusted origins instead of wildcard '*'

+6 -1 python

  from flask import Flask
  from flask_cors import CORS
  
  app = Flask(__name__)
- CORS(app, resources={r"/api/*": {"origins": "*"}})
+ CORS(app, resources={
+     r"/api/*": {
+         "origins": ["https://example.com", "https://app.example.com"],
+         "supports_credentials": True
+     }
+ })

CORS Regex Bypass Vulnerability HIGH

Use exact string matching against an allowlist instead of regex for origin validation

+9 -7 python

- import re
- from flask import request
- 
- @app.after_request
- def cors(response):
-     origin = request.headers.get('Origin', '')
-     if re.match(r'.*example\.com', origin):
+ ALLOWED_ORIGINS = {
+     "https://app.example.com",
+     "https://api.example.com",
+ }
+ 
+ @app.after_request
+ def cors(response):
+     origin = request.headers.get('Origin', '')
+     if origin in ALLOWED_ORIGINS:
          response.headers['Access-Control-Allow-Origin'] = origin
      return response

🐹 Go Alle anzeigen Go Details →

Chi Permissive CORS MEDIUM

Configure specific allowed origins in Chi CORS middleware

+2 -1 go

  package main
  
  import (
      "github.com/go-chi/chi/v5"
      "github.com/go-chi/cors"
  )
  
  func main() {
      r := chi.NewRouter()
      r.Use(cors.Handler(cors.Options{
-         AllowedOrigins: []string{"*"},
+         AllowedOrigins:   []string{"https://example.com"},
+         AllowCredentials: true,
      }))
  }

Echo Permissive CORS MEDIUM

Configure specific allowed origins in Echo CORS middleware

+5 -1 go

  package main
  
  import (
      "github.com/labstack/echo/v4"
      "github.com/labstack/echo/v4/middleware"
  )
  
  func main() {
      e := echo.New()
      e.Use(middleware.CORSWithConfig(middleware.CORSConfig{
-         AllowOrigins: []string{"*"},
+         AllowOrigins: []string{
+             "https://example.com",
+             "https://app.example.com",
+         },
+         AllowCredentials: true,
      }))
      e.Start(":8080")
  }

Fiber Permissive CORS MEDIUM

Configure specific allowed origins in Fiber CORS middleware

+2 -1 go

  package main
  
  import (
      "github.com/gofiber/fiber/v2"
      "github.com/gofiber/fiber/v2/middleware/cors"
  )
  
  func main() {
      app := fiber.New()
      app.Use(cors.New(cors.Config{
-         AllowOrigins: "*",
+         AllowOrigins:     "https://example.com,https://app.example.com",
+         AllowCredentials: true,
      }))
      app.Listen(":3000")
  }

3 Erkennung

Finden Sie Schwachstellen in Ihrem Code

Verwenden Sie Shoulder, um Ihren Code nach Permissive Cross-domain Policy with Untrusted Domains-Mustern zu scannen. 9 Regeln.

Terminal

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=942

# Or scan entire project
npx @shoulderdev/cli trust .

Erkennungsregeln (9)

🐹 Go 5 rules

Chi Permissive CORS MEDIUM

Wildcard CORS allows any origin to access resources.

Echo Permissive CORS MEDIUM

Wildcard CORS allows any origin to access resources.

Fiber Permissive CORS MEDIUM

Wildcard CORS allows any origin to access resources.

Gin Permissive CORS MEDIUM

Wildcard CORS allows any origin to access resources.

Permissive CORS Configuration MEDIUM

CORS allows wildcard origin or reflects Origin header without validation.

🐍 Python 4 rules

FastAPI CORS Misconfiguration MEDIUM

Detects overly permissive CORS configuration in FastAPI applications. Allowing all origins (*) with credentials enabled can lead to CSRF and data theft.

Flask CORS Misconfiguration MEDIUM

Detects overly permissive CORS configuration in Flask applications using flask-cors. Allowing all origins (*) with credentials enabled can lead to cross-site request forgery and data theft.

CORS Misconfiguration MEDIUM

Detects overly permissive CORS (Cross-Origin Resource Sharing) configurations that allow any origin (*) with credentials, or reflect the Origin header without validation. This can expose sensitive data to malicious sites.

CORS Regex Bypass Vulnerability HIGH

Detects CORS implementations using weak regex patterns, prefix/suffix matching, or substring checks that can be bypassed by attackers to allow unauthorized cross-origin access from malicious domains. Common bypass patterns: 1. Unanchored regex: r"https://.*\.example\.com" matches "https://evil.com/.example.com" 2. Unescaped dots: r"https://app.trusted.com" matches "https://appXtrusted.com" 3. Prefix matching: startswith("https://trusted.com") allows "https://trusted.com.evil.com" 4. Suffix matc

4 Warnzeichen

Worauf bei Code-Reviews zu achten ist

Diese Muster weisen auf potenzielle Permissive Cross-domain Policy with Untrusted Domains-Schwachstellen hin. Achten Sie bei Code-Reviews und Sicherheitsaudits darauf.

🟠

CORS validation uses weak pattern matching that can be bypassed python-cors-regex-bypass

🟠

CORS implementations using weak regex patterns, prefix/suffix matching, or substring checks that can python-cors-regex-bypass

🟡

FastAPI uses CORSMiddleware with allow_origins=['*'] and allow_credentials=True fastapi-cors-misconfiguration

🟡

overly permissive CORS configuration in FastAPI applications fastapi-cors-misconfiguration

🟡

Flask application uses CORS(*, supports_credentials=True) which allows any origin to make authenticated requests flask-cors-misconfiguration

🟡

Gin CORS middleware configured with wildcard origin go-gin-permissive-cors

🟡

CORS policy allows untrusted origins go-permissive-cors

🟡

overly permissive CORS (Cross-Origin Resource Sharing) configurations that allow any origin (*) with python-cors-misconfiguration

🔍

Scanne deine Codebasis nach Permissive Cross-domain Policy with Untrusted Domains

Shoulder CLI findet anfällige Muster in deiner gesamten Codebasis.

npx shoulder trust Alle Regeln durchsuchen