Detail

Misconfigured Access-Control-Allow-Origin Header

Severity: Low

Summary #

Netsparker detected a possibly misconfigured Access-Control-Allow-Origin header in resource's HTTP response.

Cross-origin resource sharing (CORS) is a mechanism that allows resources on a web page to be requested outside the domain through XMLHttpRequest.

Unless this HTTP header is present, such "cross-domain" requests are forbidden by web browsers, per the same-origin security policy.

Impact #
This is generally not appropriate when using the same-origin security policy. The only case where this is appropriate when using the same-origin policy is when a page or API response is considered completely public content and it is intended to be accessible to everyone.
Remediation #
If this page is intended to be accessible to everyone, you don't need to take any action. Otherwise please follow the guidelines for different architectures below in order to set this header and permit outside domain.

Apache

  • Add the following line inside either the <directory>, <location>, <files> or <virtualhost> sections of your server config (usually located in httpd.conf or apache.conf), or within a .htaccess file.
    Header set Access-Control-Allow-Origin "domain"

IIS6

  1. Open Internet Information Service (IIS) Manager
  2. Right click the site you want to enable CORS for and go to Properties
  3. Change to the HTTP Headers tab
  4. In the Custom HTTP headers section, click Add
  5. Enter Access-Control-Allow-Origin as the header name
  6. Enter domain as the header value

IIS7

  • Merge the following xml into the web.config file at the root of your application or site:
    <?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <system.webserver>
    <httpprotocol>
      <customheaders>
        <add name="Access-Control-Allow-Origin" value="domain" />
      </customheaders>
    </httpprotocol>
  </system.webserver>
</configuration>

ASP.NET

  • If you don't have access to configure IIS, you can still add the header through ASP.NET by adding the following line to your source pages:
    Response.AppendHeader("Access-Control-Allow-Origin", "domain");
Classifications #
CWE-16, ISO27001-A.14.1.2, WASC-15, OWASP 2013-A5, OWASP 2017-A6
Vulnerability Index

Vulnerability Index

You can search and find all vulnerabilities

Select Category

OR

Search Vulnerability

Tags

CORS  OWASP 2013-A5  OWASP 2017-A6 

Related Vulnerabilities

Netsparker

Dead accurate, fast & easy-to-use Web Application Security Scanner

GET A DEMO

RESOURCES

USE CASES

WEB SECURITY

COMPANY

Netsparker Ltd

  • 220 Industrial Blvd Ste 102
    Austin, TX 78745
© Netsparker 2021, by Invicti
Subscription Services Agreement | Data Protection Policy | Information Security Policy | Privacy Policy | Sitemap