CORS Misconfiguration Vulnerability

CORS 配置错误漏洞

Risk: medium

描述

CORS 配置错误是指 Web 服务器上未正确配置跨源资源共享 (CORS) 策略的漏洞。这允许进行未经授权的跨源请求，从而可能导致信息泄漏或对敏感数据的未经授权的访问。

以下是不同的流行框架中不正确的 CORS 配置示例：

Django

CORS_ALLOWED_ORIGIN_REGEXES = [
    r"*",
]
CORS_ALLOW_METHODS = [
    "DELETE",
    "GET",
    "OPTIONS",
    "PATCH",
    "POST",
    "PUT",
]

NodeJs

  const express = require('express');
  const cors = require('cors');
  const app = express();

      const ingredients = [];

  app.use(cors({
      origin: '*'
  }));

  app.get('/ingredients', (req, res) =>{
      res.send(ingredients);
  });
  app.listen(6069);

Spring Boot

    import org.springframework.boot.autoconfigure.SpringBootApplication
    import org.springframework.boot.runApplication
    import org.springframework.web.bind.annotation.CrossOrigin
    import org.springframework.web.bind.annotation.GetMapping
    import org.springframework.web.bind.annotation.PathVariable
    import org.springframework.web.bind.annotation.RestController

    @SpringBootApplication
    class DemoApplication

    fun main(args: Array<String>) {
        runApplication<DemoApplication>(*args)
    }

    @RestController
    class UserController {

        @CrossOrigin(origins = "*")
        @GetMapping("/users/{id}")
        fun getUser(@PathVariable id: String): String {
            // Fetch user data from the database based on the provided id
            return "User with id $id"
        }
    }

建议

为了缓解 CORS 配置错误漏洞，遵循最佳实践非常重要。这包括正确配置 Access-Control-Allow-Origin 标头以仅允许受信任的源，而不是使用通配符 (*) 值。此外，实施适当的身份验证和授权机制以确保只有授权用户才能访问敏感资源至关重要。定期监控和审计 CORS 配置有助于识别和解决任何潜在的配置错误或漏洞。

以下是 CORS 的安全设置示例：

Django

    CORS_ALLOWED_ORIGINS = [
    "https://cross-origin-website.com",
    "https://sub.cross-origin-website.com",
    ]
    CORS_ALLOW_METHODS = [
        "DELETE",
        "GET",
        "OPTIONS",
        "PATCH",
        "POST",
        "PUT",
    ]

NodeJs

    const express = require('express');
    const cors = require('cors');
    const app = express();

        const ingredients = [];

    app.use(cors({
        origin: 'https://cross-origin-website.com'
    }));

    app.get('/ingredients', (req, res) =>{
        res.send(ingredients);
    });
    app.listen(6069);

Sprint boot

    import org.springframework.boot.autoconfigure.SpringBootApplication
    import org.springframework.boot.runApplication
    import org.springframework.web.bind.annotation.CrossOrigin
    import org.springframework.web.bind.annotation.GetMapping
    import org.springframework.web.bind.annotation.PathVariable
    import org.springframework.web.bind.annotation.RestController

    @SpringBootApplication
    class DemoApplication

    fun main(args: Array<String>) {
        runApplication<DemoApplication>(*args)
    }

    @RestController
    class UserController {

        @CrossOrigin(origins = ["http://localhost:8080"]) // Replace with your allowed origin(s)
        @GetMapping("/users/{id}")
        fun getUser(@PathVariable id: String): String {
            // Fetch user data from the database based on the provided id
            return "User with id $id"
        }
    }

链接

• CORS Misconfiguration
• CWE-942: Permissive Cross-domain Policy

标准

• PCI_STANDARDS:
  • REQ_2_2
  • REQ_6_2
  • REQ_6_3
  • REQ_7_3
  • REQ_8_3
  • REQ_11_3
• HIPAA_CONTROLS:
  • SECURITY221
  • SECURITY212
  • SECURITY213