ZAP – Cross-Domain Misconfiguration

Details
Alert Id	10098
Alert Type	Passive
Status	release
Risk	Medium
CWE	264
WASC	14
Technologies Targeted	All
Tags	OWASP_2017_A05 OWASP_2021_A01

Summary

Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server

Solution

Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance). Configure the "Access-Control-Allow-Origin" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.

Other Info

References

https://vulncat.fortify.com/en/detail?id=desc.config.dotnet.html5_overly_permissive_cors_policy

Code

org/zaproxy/zap/extension/pscanrules/CrossDomainMisconfigurationScanRule.java