🚀 Join our AI Wargame at Black Hat Asia and our Workshop + Wargame at NDC Sydney .

CORS Wildcard Origin Allowed

Cross Origin Resource Sharing (CORS) is a way to punch hole in the security brought by a browser. If it is not done carefully, it may result into security vulnerabilities. CORS is an HTTP-header that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources. * can be set by server any allow any origin. This can be abused by an adversary to send cross-origin request from any origin and access the resources for secondary attack.

NOTE: Modern browsers no longer allow * origin with a request that has credentials (cookie header).

Remediation

  • Do not allow * origin.
  • Specify domains from which requests are allowed.

Metadata

  • Severity: informational
  • Slug: cors-wildcard-origin-allowed

CWEs

  • 346: Origin Validation Error

OWASP

  • A07:2021: Identification and Authentication Failures

Available Labs

Select a language to explore available labs for this vulnerability.

Try it yourself

Find, Hack and Fix Your First Vulnerability

Reading about security bugs is one thing — fixing one is how the skill sticks. Play a free challenge from the wargame, no setup required.