Cross-Domain (CORS) Misconfiguration (Passive)
What is it?
The API is misconfigured with a sub optimal and/or overly permissive Cross-Origin Resource Sharing (CORS) policy.
Access-Control-Allow-Origin is defined. With this header, an API server defines which other domains are allowed to access its domain using cross-origin requests.
A sub optimal and/or overly permissive CORS policy can can lead to spoofing, data theft, relay, and other attacks.
Test case FAQs
When is this test case applicable?
This is applicable for all API endpoints when the Baseline security category is enabled in test plans.
How does it work?
Responses sent by the API server are analyzed for the sub optimal configuration of CORS policy, based on the values of 'Access-Control-Allow-Origin', 'Access-Control-Allow-Credentials', and 'Access-Control-Allow-Methods' HTTP response headers.
What is the solution?
Configure the 'Access-Control-Allow-Origin' HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner. Follow best practices outlined here.