Weak CORS Policies¶
Trusting any origin¶
Browsers will not send credentials if server set header Access-Control-Allow-Origin:*
If a server application need to allow cross-origin requests to any domains, developers can return Access-Control-Allow-Origin:
Improper domain allow list¶
Sometimes developers write some login to allow any origin with subdomains and they can implement this logic incorrectly. For example, the task is allow any subdomains for test.com. Developers can allow faketest.com too, if they check only if test.com is substring for request.origin.
References¶
- web200 p. 187