ZAP – Cross-Domain Misconfiguration

Details
Alert ID	10098
Alert Type	Passive
Status	release
Risk	Medium
CWE	264
WASC	14
Technologies Targeted	All
Tags	CWE-264 OWASP_2017_A05 OWASP_2021_A01 POLICY_PENTEST POLICY_QA_STD
More Info	Scan Rule Help

Summary

Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server.

Solution

Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance). Configure the "Access-Control-Allow-Origin" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.

Other Info

The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.

References

https://vulncat.fortify.com/en/detail?id=desc.config.dotnet.html5_overly_permissive_cors_policy

Code

org/zaproxy/zap/extension/pscanrules/CrossDomainMisconfigurationScanRule.java