CWE Glossary

CWE is a trademark of the MITRE Corporation.

Stay in touch

Application security insights and invitations to exclusive events in your inbox


Your data will stay confidential Private and Confidential

Overly Permissive Cross-domain Whitelist [CWE-942]

The weakness describes a case where software uses cross-domain policy, which includes domains that should not be trusted.

Created: June 11, 2018

Table of Content

  1. Description
  2. Potential impact
  3. Attack patterns
  4. Affected software
  5. Severity and CVSS Scoring
  6. Mitigations
  7. Vulnerability Remediation Techniques and Examples
  8. References

1. Description

A cross-domain policy is defined via HTTP headers sent to the client’s browser.

There are two headers that are important to cross-origin resource sharing process:

Access-Control-Allow-Origin – defines domain names that are allowed to communicate with the application.

Access-Control-Allow-Credentials – defines if the response from the request is allowed to be exposed on the page.

The vulnerability occurs when the “Access-Control-Allow-Origin” header lists a domain that is under attacker’s control (e.g. the application accepts any domain from HTTP request and mirrors it back to the browser or just responds with an asterisk) and if “Access-Control-Allow-Origin” is set to “true”. The attacker is able then to inject arbitrary content from the domain name under his/her control and display that content in victim’s browser.

2. Potential impact

The vulnerability may allow an attacker to inject arbitrary JavaScript code from a remote server and execute it in victim’s browser.

3. Attack patterns

The following attack patterns are related to this weakness:

4. Affected software

Software that relies on cross-domain browser policy is affected by this vulnerability.

5. Severity and CVSS Scoring

This vulnerability allows the same impact as cross-site scripting and therefore should be scored as such:
4.7 [CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C] - Medium

5. Mitigations

The only possible mitigation technique is to replace HTTP header values on the server side to prevent exploitation of this vulnerability.

6. Vulnerability Remediation Techniques and Examples

When developing an application, never rely on user-supplied input when setting values for HTTP headers. Always use predefined value for “Access-Control-Allow-Origin” that does not contain “*” character and cannot be influenced by the incoming HTTP request. Also, where possible set “Access-Control-Allow-Credentials” to “false” by default.

7. References

  1. CWE-942: Overly Permissive Cross-domain Whitelist [cwe.mitre.org]
  2. Cross-Origin Resource Sharing (CORS) [developer.mozilla.org]
  3. Access-Control-Allow-Credentials [developer.mozilla.org]

Copyright Disclaimer: Any above-mentioned content can be copied and used for non-commercial purposes only if proper credit to High-Tech Bridge is given.

↑ Back to Top
High-Tech Bridge on Facebook High-Tech Bridge on Twitter High-Tech Bridge on LinkedIn High-Tech Bridge RSS Feeds Send by Email
Share
Let's Talk