- CWE-22: Path Traversal
- CWE-78: OS Command Injection
- CWE-79: Cross-Site Scripting
- CWE-89: SQL Injection
- CWE-90: LDAP Injection
- CWE-91: XML Injection
- CWE-94: Code Injection
- CWE-98: PHP File Inclusion
- CWE-113: HTTP Response Splitting
- CWE-119: Buffer Errors
- CWE-130: Improper Handling of Length Parameter Inconsistency
- CWE-193: Off-by-one Error
- CWE-200: Information Exposure
- CWE-211: Information Exposure Through Externally-Generated Error Message
- CWE-236: Improper Handling of Undefined Parameters
- CWE-276: Incorrect Default Permissions
- CWE-284: Improper Access Control
- CWE-285: Improper Authorization
- CWE-287: Improper Authentication
- CWE-297: Improper Validation of Certificate with Host Mismatch
- CWE-306: Missing Authentication for Critical Function
- CWE-312: Cleartext Storage of Sensitive Information
- CWE-345: Insufficient Verification of Data Authenticity
- CWE-352: Cross-Site Request Forgery
- CWE-384: Session Fixation
- CWE-427: Uncontrolled Search Path Element
- CWE-434: Unrestricted Upload of File with Dangerous Type
- CWE-476: NULL Pointer Dereference
- CWE-521: Weak Password Requirements
- CWE-601: Open Redirect
- CWE-611: Improper Restriction of XML External Entity Reference ('XXE')
- CWE-613: Insufficient Session Expiration
- CWE-618: Exposed Unsafe ActiveX Method
- CWE-671: Lack of Administrator Control over Security
- CWE-798: Use of Hard-coded Credentials
- CWE-799: Improper Control of Interaction Frequency
- CWE-822: Untrusted Pointer Dereference
- CWE-835: Infinite Loop
- CWE-918: Server-Side Request Forgery (SSRF)
- CWE-942: Overly Permissive Cross-domain Whitelist
CWE is a trademark of the MITRE Corporation.
Overly Permissive Cross-domain Whitelist [CWE-942]
The weakness describes a case where software uses cross-domain policy, which includes domains that should not be trusted.
Created: June 11, 2018
Table of Content
- Potential impact
- Attack patterns
- Affected software
- Severity and CVSS Scoring
- Vulnerability Remediation Techniques and Examples
A cross-domain policy is defined via HTTP headers sent to the client’s browser.
There are two headers that are important to cross-origin resource sharing process:
Access-Control-Allow-Origin – defines domain names that are allowed to communicate with the application.
Access-Control-Allow-Credentials – defines if the response from the request is allowed to be exposed on the page.
The vulnerability occurs when the “Access-Control-Allow-Origin” header lists a domain that is under attacker’s control (e.g. the application accepts any domain from HTTP request and mirrors it back to the browser or just responds with an asterisk) and if “Access-Control-Allow-Origin” is set to “true”. The attacker is able then to inject arbitrary content from the domain name under his/her control and display that content in victim’s browser.
2. Potential impact
3. Attack patterns
The following attack patterns are related to this weakness:
4. Affected software
Software that relies on cross-domain browser policy is affected by this vulnerability.
5. Severity and CVSS Scoring
This vulnerability allows the same impact as cross-site scripting and therefore should be scored as such:
4.7 [CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C] - Medium
The only possible mitigation technique is to replace HTTP header values on the server side to prevent exploitation of this vulnerability.
6. Vulnerability Remediation Techniques and Examples
When developing an application, never rely on user-supplied input when setting values for HTTP headers. Always use predefined value for “Access-Control-Allow-Origin” that does not contain “*” character and cannot be influenced by the incoming HTTP request. Also, where possible set “Access-Control-Allow-Credentials” to “false” by default.
- CWE-942: Overly Permissive Cross-domain Whitelist [cwe.mitre.org]
- Cross-Origin Resource Sharing (CORS) [developer.mozilla.org]
- Access-Control-Allow-Credentials [developer.mozilla.org]
Copyright Disclaimer: Any above-mentioned content can be copied and used for non-commercial purposes only if proper credit to High-Tech Bridge is given.↑ Back to Top