open-cors-anti-pattern
Open CORS Policy Anti-Pattern
Severity: Medium
Summary
Misconfigured CORS policies allow any website to make authenticated requests on behalf of users. Servers responding with Access-Control-Allow-Origin: * or reflecting client Origin headers enable data theft and unauthorized actions.
The Anti-Pattern
The anti-pattern is overly permissive Access-Control-Allow-Origin headers: wildcard (*) or reflecting client Origin values.
BAD Code Example
# VULNERABLE: The server reflects any Origin header, or uses a wildcard with credentials.
from flask import Flask, request, jsonify
app = Flask(__name__)
@app.after_request
def add_cors_headers(response):
# DANGEROUS: Reflecting Origin header.
# Attacker site (https://evil.com) can make requests.
origin = request.headers.get('Origin')
if origin:
response.headers['Access-Control-Allow-Origin'] = origin
# DANGEROUS: Wildcard with credentials.
# Most browsers block, but critical misconfiguration.
# response.headers['Access-Control-Allow-Origin'] = '*'
# response.headers['Access-Control-Allow-Credentials'] = 'true'
return response
@app.route("/api/user/profile")
def get_profile():
# Endpoint for frontend, relies on session cookie.
user = get_user_from_session()
return jsonify(user.to_dict())
# Attack:
# 1. Logged-in user visits https://evil.com
# 2. Script fetches https://yourapp.com/api/user/profile
# 3. Permissive CORS allows request with session cookie
# 4. Server responds with user's sensitive profile
# 5. evil.com exfiltrates user data
GOOD Code Example
# SECURE: Maintain a strict allowlist of trusted origins.
from flask import Flask, request, jsonify
app = Flask(__name__)
# Strict allowlist of permitted origins.
ALLOWED_ORIGINS = {
"https://www.yourapp.com",
"https://yourapp.com",
"https://staging.yourapp.com"
}
@app.after_request
def add_secure_cors_headers(response):
origin = request.headers.get('Origin')
if origin in ALLOWED_ORIGINS:
# Set header only if origin in trusted list.
response.headers['Access-Control-Allow-Origin'] = origin
response.headers['Access-Control-Allow-Credentials'] = 'true'
# Vary tells caches response depends on Origin.
response.headers['Vary'] = 'Origin'
return response
@app.route("/api/user/profile")
def get_profile_secure():
user = get_user_from_session()
return jsonify(user.to_dict())
# Script from https://evil.com: origin not in ALLOWED_ORIGINS,
# no CORS headers sent. Browser same-origin policy blocks request.
Detection
- Use browser developer tools: Open the "Network" tab, make a cross-origin request to your API, and inspect the response headers. Look for
Access-Control-Allow-Origin. Is it*? Does it match theOriginof your request even if that origin is untrusted? - Use
curl: Make a request and set a customOriginheader to see if the server reflects it:curl -H "Origin: https://evil.com" -I https://yourapp.com/api/some-endpointCheck if the response containsAccess-Control-Allow-Origin: https://evil.com. - Review CORS configuration: Check your application's code or framework configuration for how CORS headers are being set. Look for wildcards or reflected origins.
Prevention
- Maintain strict allowlist: Most critical step. Define trusted origins explicitly.
- Never reflect
Originheader: Validate against allowlist before reflecting. - Avoid wildcard on authenticated endpoints:
*unsafe for endpoints using cookies orAuthorizationheaders. Only use for public, unauthenticated resources. - Use
Access-Control-Allow-Credentialscarefully: Set totrueonly when necessary and only for allowlisted origins. - Add
Vary: Originheader: Tells caches response depends on Origin. Prevents cached response for trusted origin being served to malicious one.
Related Security Patterns & Anti-Patterns
- Missing Security Headers Anti-Pattern: CORS is a key part of the broader suite of security headers an application must manage.
- Cross-Site Scripting (XSS) Anti-Pattern: An attacker could use a permissive CORS policy to exfiltrate data stolen via an XSS attack.
References
More from igbuend/grimbard
tikz
LaTeX TikZ/PGF package for programmatic vector graphics and diagrams. Use when helping users draw flowcharts, trees, graphs, automata, circuits, geometric figures, or any custom diagram in LaTeX.
91latex
Comprehensive LaTeX reference for document creation, formatting, mathematics, tables, figures, bibliographies, and compilation. Use when helping users write, edit, debug, or compile LaTeX documents.
37pgfplots
LaTeX pgfplots package for data visualization and plotting. Use when helping users create line plots, bar charts, scatter plots, histograms, 3D surfaces, or any scientific/data plot in LaTeX.
31biblatex
LaTeX biblatex/biber packages for modern bibliography management. Use when helping users cite references, manage .bib files, choose citation styles, or troubleshoot bibliography compilation.
24ethical-hacking-ethics
Legal and ethical guidelines for bug bounties, pentesting, and security research. Use when conducting authorized security testing.
12codebase-discovery
Generate security-focused DISCOVERY.md for code review and threat modeling. Use when assessing unfamiliar codebases.
11