Permissive Cross-domain Policy with Untrusted Domains
The product uses a cross-domain policy file that includes domains that should not be trusted.
A cross-domain policy file specifies the permissions for a web client to handle data across multiple domains. When overly permissive settings are used, malicious sites can abuse these permissions to access sensitive data or perform unauthorized actions on behalf of the user.
普遍性
高
频繁被利用
影响
高
1 条严重级别为高的规则
预防
已记录
9 个修复示例
2 预防
2 预防
如何修复此漏洞
Python
查看全部 Python 详情 →
FastAPI CORS Misconfiguration
MEDIUM
Restrict CORS to specific trusted origins instead of wildcard '*'
from fastapi import FastAPI from fastapi.middleware.cors import CORSMiddleware app = FastAPI() app.add_middleware( CORSMiddleware, - allow_origins=["*"], - allow_credentials=True, - allow_methods=["*"], + allow_origins=["https://example.com", "https://app.example.com"], + allow_credentials=True, + allow_methods=["GET", "POST"], )
Flask CORS Misconfiguration
MEDIUM
Restrict Flask-CORS to specific trusted origins instead of wildcard '*'
from flask import Flask from flask_cors import CORS app = Flask(__name__) - CORS(app, resources={r"/api/*": {"origins": "*"}}) + CORS(app, resources={ + r"/api/*": { + "origins": ["https://example.com", "https://app.example.com"], + "supports_credentials": True + } + })
CORS Regex Bypass Vulnerability
HIGH
Use exact string matching against an allowlist instead of regex for origin validation
- import re - from flask import request - - @app.after_request - def cors(response): - origin = request.headers.get('Origin', '') - if re.match(r'.*example\.com', origin): + ALLOWED_ORIGINS = { + "https://app.example.com", + "https://api.example.com", + } + + @app.after_request + def cors(response): + origin = request.headers.get('Origin', '') + if origin in ALLOWED_ORIGINS: response.headers['Access-Control-Allow-Origin'] = origin return response
Go
查看全部 Go 详情 →
Chi Permissive CORS
MEDIUM
Configure specific allowed origins in Chi CORS middleware
package main import ( "github.com/go-chi/chi/v5" "github.com/go-chi/cors" ) func main() { r := chi.NewRouter() r.Use(cors.Handler(cors.Options{ - AllowedOrigins: []string{"*"}, + AllowedOrigins: []string{"https://example.com"}, + AllowCredentials: true, })) }
Echo Permissive CORS
MEDIUM
Configure specific allowed origins in Echo CORS middleware
package main import ( "github.com/labstack/echo/v4" "github.com/labstack/echo/v4/middleware" ) func main() { e := echo.New() e.Use(middleware.CORSWithConfig(middleware.CORSConfig{ - AllowOrigins: []string{"*"}, + AllowOrigins: []string{ + "https://example.com", + "https://app.example.com", + }, + AllowCredentials: true, })) e.Start(":8080") }
Fiber Permissive CORS
MEDIUM
Configure specific allowed origins in Fiber CORS middleware
package main import ( "github.com/gofiber/fiber/v2" "github.com/gofiber/fiber/v2/middleware/cors" ) func main() { app := fiber.New() app.Use(cors.New(cors.Config{ - AllowOrigins: "*", + AllowOrigins: "https://example.com,https://app.example.com", + AllowCredentials: true, })) app.Listen(":3000") }
3 检测
3 检测
查找代码中的漏洞
使用Shoulder扫描代码中的Permissive Cross-domain Policy with Untrusted Domains模式。 9 规则.
# Scan with Shoulder CLI npx @shoulderdev/cli trust --cwe=942 # Or scan entire project npx @shoulderdev/cli trust .
检测规则 (9)
🐹
Go
5 rules
Chi Permissive CORS
MEDIUM
Wildcard CORS allows any origin to access resources.
Echo Permissive CORS
MEDIUM
Wildcard CORS allows any origin to access resources.
Fiber Permissive CORS
MEDIUM
Wildcard CORS allows any origin to access resources.
Gin Permissive CORS
MEDIUM
Wildcard CORS allows any origin to access resources.
Permissive CORS Configuration
MEDIUM
CORS allows wildcard origin or reflects Origin header without validation.
🐍
Python
4 rules
FastAPI CORS Misconfiguration
MEDIUM
Detects overly permissive CORS configuration in FastAPI applications.
Allowing all origins (*) with credentials enabled can lead to CSRF
and data theft.
Flask CORS Misconfiguration
MEDIUM
Detects overly permissive CORS configuration in Flask applications using
flask-cors. Allowing all origins (*) with credentials enabled can lead to
cross-site request forgery and data theft.
CORS Misconfiguration
MEDIUM
Detects overly permissive CORS (Cross-Origin Resource Sharing) configurations
that allow any origin (*) with credentials, or reflect the Origin header without
validation. This can expose sensitive data to malicious sites.
CORS Regex Bypass Vulnerability
HIGH
Detects CORS implementations using weak regex patterns, prefix/suffix matching,
or substring checks that can be bypassed by attackers to allow unauthorized
cross-origin access from malicious domains.
Common bypass patterns:
1. Unanchored regex: r"https://.*\.example\.com" matches "https://evil.com/.example.com"
2. Unescaped dots: r"https://app.trusted.com" matches "https://appXtrusted.com"
3. Prefix matching: startswith("https://trusted.com") allows "https://trusted.com.evil.com"
4. Suffix matc
4 警告信号
4 警告信号
代码审查中需要关注的内容
这些模式表明潜在的Permissive Cross-domain Policy with Untrusted Domains漏洞。在代码审查和安全审计中注意查找。
CORS validation uses weak pattern matching that can be bypassed
python-cors-regex-bypass
CORS implementations using weak regex patterns, prefix/suffix matching,
or substring checks that can
python-cors-regex-bypass
FastAPI uses CORSMiddleware with allow_origins=['*'] and allow_credentials=True
fastapi-cors-misconfiguration
overly permissive CORS configuration in FastAPI applications
fastapi-cors-misconfiguration
Flask application uses CORS(*, supports_credentials=True) which allows any origin to make authenticated requests
flask-cors-misconfiguration
Gin CORS middleware configured with wildcard origin
go-gin-permissive-cors
CORS policy allows untrusted origins
go-permissive-cors
overly permissive CORS (Cross-Origin Resource Sharing) configurations
that allow any origin (*) with
python-cors-misconfiguration
扫描你的代码库: Permissive Cross-domain Policy with Untrusted Domains
Shoulder CLI 在整个代码库中找到易受攻击的模式。