Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-5122

Enabling Cross-Origin Resource Sharing is security-sensitive

    Details

    • Message:
      Make sure that enabling CORS is safe here.
    • Highlighting:
      Hide

      The HTTP header, configuration option or code enabling CORS

      Show
      The HTTP header, configuration option or code enabling CORS
    • Default Severity:
      Minor
    • Impact:
      Low
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      C#, Go, PHP, Python, Ruby, Scala, VB.Net
    • Covered Languages:
      Java, JavaScript
    • Analysis Scope:
      Main Sources
    • Common Rule:
      Yes
    • CWE:
      CWE-346, CWE-942
    • OWASP:
      A6
    • SANS Top 25:
      Porous Defenses

      Description

      Enabling Cross-Origin Resource Sharing (CORS) is security-sensitive. For example, it has led in the past to the following vulnerabilities:

      Applications that enable CORS will effectively relax the same-origin policy in browsers, which is in place to prevent AJAX requests to hosts other than the one showing in the browser address bar. Being too permissive, CORS can potentially allow an attacker to gain access to sensitive information.

      This rule flags code that enables CORS or specifies any HTTP response headers associated with CORS. The goal is to guide security code reviews.

      Ask Yourself Whether

      • Any URLs responding with Access-Control-Allow-Origin: * include sensitive content.
      • Any domains specified in Access-Control-Allow-Origin headers are checked against a whitelist.

      Recommended Secure Coding Practices

      • The Access-Control-Allow-Origin header should be set only on specific URLs that require access from other domains. Don't enable the header on the entire domain.
      • Don't rely on the Origin header blindly without validation as it could be spoofed by an attacker. Use a whitelist to check that the Origin domain (including protocol) is allowed before returning it back in the Access-Control-Allow-Origin header.
      • Use Access-Control-Allow-Origin: * only if your application absolutely requires it, for example in the case of an open/public API. For such endpoints, make sure that there is no sensitive content or information included in the response.

      See

        Attachments

          Issue Links

          1.
          Java RSPEC-5123 Language-Specification Active Unassigned
          2.
          C# RSPEC-5124 Language-Specification Active Unassigned
          3.
          JavaScript RSPEC-5125 Language-Specification Active Unassigned
          4.
          VB.NET RSPEC-5126 Language-Specification Active Unassigned
          5.
          PHP RSPEC-5127 Language-Specification Active Unassigned
          6.
          XML RSPEC-5218 Language-Specification Active Unassigned

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                lars.svensson Lars Svensson (Inactive)
              • Votes:
                1 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: