Too Broad Cors Policy

go.too_broad_cors_policy

Severity

critical

Resource

Misconfiguration

Language

Description

By default, same-origin policy blocks cross-origin HTTP requests initiated by scripts. There are several use cases that require cross-origin script access; for example, Content Delivery Networks (CDNs) that provide hosting for JavaScript/CSS libraries and public API endpoints. However, cross-origin access presents a major security risk and must be carefully controlled.

This detector aims to pinpoint scenarios where Cross-Origin Resource Sharing (CORS) policies are excessively permissive, potentially exposing the application to cross-origin attacks.

More specifically this detector identifies configurations that improperly set values for the Access-Control-Allow-Origin HTTP header.

Rationale

Cross-Origin Resource Sharing (CORS) is a fundamental security feature that controls how resources can be requested from a different domain.

This vulnerability arises when the Origin header is set to overly permissive values such as * or null, which effectively allows any domain to access resources, bypassing the intended security restrictions. This can lead to undesired information disclosure or unauthorized actions through a variety of attack vectors.

In addition, dynamically reflecting origins (e.g. the Origin request header) from cross-origin requests without strict validation should be avoided, as it is readily exploitable.

In Go, this issue often appears when developers configure the Access-Control-Allow-Origin header without properly restricting it to trusted domains. For instance, using "*" or echoing back the Origin header without validation opens the door to unauthorized access to sensitive APIs or data.

func handler(w http.ResponseWriter, r *http.Request) {
    w.Header().Set("Access-Control-Allow-Origin", "*") // FLAW
    // ...handle request
}

This configuration enables any domain to interact with the application, which is rarely appropriate for production environments, particularly when sensitive data or operations are involved.

Remediation

To remediate this vulnerability, it is crucial to tighten the CORS policy by explicitly specifying trusted domains or origins that are permitted to interact with the application. This minimizes unauthorized access and limits the exposure to potential attacks.

Here are practical steps for safer CORS configuration in web applications:

Identify the trusted domains that require cross-origin access to your resources and specify them explicitly instead of using a wildcard character.
Use configuration files or security frameworks to centralize and manage CORS settings to ensure consistency across your application.
Regularly review and update the list of allowed origins based on your current security requirements and business needs.

Configuration

The detector has the following configurable parameters:

tooBroadOriginPattern, that indicates the regex used to determine if the origin is too broad.

References

CWE-942 : Permissive Cross-domain Policy with Untrusted Domains.
OWASP - Top 10 2021 Category A05 : Security Misconfiguration.
MDN on CORS configuration.
PortSwigger on CORS.
Exploiting CORS misconfigurations for Bitcoins and bounties.