🚀 Join our AI Wargame at Black Hat Asia and our Workshop + Wargame at NDC Sydney .

Permissive Cross-Domain Security Policy

The application defines an overly permissive cross-domain security policy that allows communication with untrusted or broadly matched domains. This weakens browser-enforced origin protections such as the Same-Origin Policy and may allow malicious third-party domains to interact with the application in ways that should normally be restricted.

If wildcard domains or untrusted origins are included in a CSP, CORS, crossdomain.xml, or similar client-side security policy, an attacker-controlled domain may be able to send requests, access exposed application data, bypass intended browser protections, or perform actions on behalf of a victim. Depending on the policy and application context, this may enable attacks similar to Cross-Site Scripting, data exfiltration, session abuse, or unauthorised interaction with protected resources.

Remediation

Restrict the cross-domain security policy to only explicitly trusted domains that are required for the application to function. Avoid wildcard entries such as * or broad patterns like *.example.com unless every matching subdomain is fully trusted and controlled. Review CSP, CORS, crossdomain.xml, and other client access policy files to ensure they follow a least-privilege model. Where possible, separate trusted and untrusted content onto different domains and validate that sensitive resources cannot be accessed from unauthorised origins.

Metadata

  • Severity: high
  • Slug: permissive-cross-domain-security-policy

CWEs

  • 942: Permissive Cross-domain Security Policy with Untrusted Domains

Available Labs

Open Azure labs in SecDim Play for this vulnerability.

Try it yourself

Find, Hack and Fix Your First Vulnerability

Reading about security bugs is one thing — fixing one is how the skill sticks. Play a free challenge from the wargame, no setup required.