ABSTRACT

The program defines an overly permissive Cross-Origin Resource Sharing (CORS) policy.

EXPLANATION

Prior to HTML5, Web browsers enforced the Same Origin Policy which ensures that in order for JavaScript to access the contents of a Web page, both the JavaScript and the Web page must originate from the same domain. Without the Same Origin Policy, a malicious website could serve up JavaScript that loads sensitive information from other websites using a client's credentials, culls through it, and communicates it back to the attacker. HTML5 makes it possible for JavaScript to access data across domains if a new HTTP header called Access-Control-Allow-Origin is defined. With this header, a Web server defines which other domains are allowed to access its domain using cross-origin requests. However, caution should be taken when defining the header because an overly permissive CORS policy will allow a malicious application to communicate with the victim application in an inappropriate way, leading to spoofing, data theft, relay and other attacks.

Example 1: Below is an example of using a wildcard to programmatically specify which domains the application is allowed to communicate with.


Response.AddHeader "Access-Control-Allow-Origin", "*"


Using the * as the value of the Access-Control-Allow-Origin header indicates that the appliction's data is accessible to JavaScript running on any domain.

REFERENCES

[1] Philippe De Ryck, Lieven Desmet, Pieter Philippaerts, and Frank Piessens A Security Analysis of Next Generation Web Standards

[2] W3C Cross-Origin Resource Sharing

[3] Enable Cross-Origin Resource Sharing

[4] Michael Schmidt HTML5 Web Security

[5] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.10