Description
FINERACT-853 has identified the following which we should probably do something about:
Security Warnings
Code Warning
SECCORS The program defines an overly permissive Cross-Origin Resource Sharing (CORS) policy
Details
PERMISSIVE_CORS: Overly permissive CORS policy
Prior to HTML5, Web browsers enforced the Same Origin Policy which ensures that in order for JavaScript to access the contents of a Web page, both the JavaScript and the Web page must originate from the same domain. Without the Same Origin Policy, a malicious website could serve up JavaScript that loads sensitive information from other websites using a client's credentials, cull through it, and communicate it back to the attacker. HTML5 makes it possible for JavaScript to access data across domains if a new HTTP header called Access-Control-Allow-Origin is defined. With this header, a Web server defines which other domains are allowed to access its domain using cross-origin requests. However, caution should be taken when defining the header because an overly permissive CORS policy will allow a malicious application to communicate with the victim application in an inappropriate way, leading to spoofing, data theft, relay and other attacks.
Vulnerable Code:
response.addHeader("Access-Control-Allow-Origin", "*");
Solution:
Avoid using * as the value of the Access-Control-Allow-Origin header, which indicates that the application's data is accessible to JavaScript running on any domain.
References
W3C Cross-Origin Resource Sharing
Enable Cross-Origin Resource Sharing
Attachments
Issue Links
- blocks
-
FINERACT-969 Run OWASP zaproxy.org against Fineract (e.g. fineract.dev)
-
- Open
-
-
-
- In Progress
-