Client Side Vulnerabilities / Cross-Origin Resource Sharing: All Subdomains Trusted
Description
A Cross-Origin Resource Sharing (CORS) policy controls whether and how content running on other domains can interact with the domain that publishes the policy. The policy is granular and can apply per-request access controls based on the URL and other characteristics of the request.
Risk
The common exploitation scenarios can be described by the following steps:
- An attacker sets up a malicious website hosting JavaScript code, which aims to retrieve data from a vulnerable web application.
- The attacker entices the victim to visit the website using phishing or an unvalidated redirection in the target application.
- The JavaScript code is then loaded in the victim browser and performs silent cross-domain authenticated requests to the target application to steal data and store it.
If an application allows interaction from all subdomains, then this significantly increases its attack surface. For example, a cross-site scripting (XSS) vulnerability in any subdomain could potentially compromise the application that publishes the policy. Some consumer ISPs return custom content when requests are made to unregistered subdomains, which can introduce XSS vulnerabilities even if all of an organization's own applications are secure.
Solution
The use of wildcards should be avoided because any domain that matches the wildcard expression is implicitly trusted and can interact with the server. Instead of trusting all subdomains, a whitelist of trusted subdomains should be used. Interaction from any other domain not included on the whitelist should be prohibited.
Access-Control-Allow-Origin: *