PCI v3.2-6.5.8
CWE-16
ISO27001-A.14.1.2
WASC-15
OWASP 2013-A5
OWASP 2017-A6

Misconfigured Access-Control-Allow-Origin Header

Severity:
Low
Summary

Invicti detected a possibly misconfigured Access-Control-Allow-Origin header in resource's HTTP response.

Cross-origin resource sharing (CORS) is a mechanism that allows resources on a web page to be requested outside the domain through XMLHttpRequest.

Unless this HTTP header is present, such "cross-domain" requests are forbidden by web browsers, per the same-origin security policy.

Impact

This is generally not appropriate when using the same-origin security policy. The only case where this is appropriate when using the same-origin policy is when a page or API response is considered completely public content and it is intended to be accessible to everyone.

Remediation

If this page is intended to be accessible to everyone, you don't need to take any action. Otherwise please follow the guidelines for different architectures below in order to set this header and permit outside domain.Apache

  • Add the following line inside either the <directory>, <location>, <files> or <virtualhost> sections of your server config (usually located in httpd.conf or apache.conf), or within a .htaccess file.Header set Access-Control-Allow-Origin "domain"

IIS6

  1. Open Internet Information Service (IIS) Manager
  2. Right click the site you want to enable CORS for and go to Properties
  3. Change to the HTTP Headers tab
  4. In the Custom HTTP headers section, click Add
  5. Enter Access-Control-Allow-Origin as the header name
  6. Enter domain as the header value

IIS7

  • Merge the following xml into the web.config file at the root of your application or site:<?xml version="1.0" encoding="utf-8" ?>
    <configuration>
    <system.webserver>
    <httpprotocol>
    <customheaders>
    <add name="Access-Control-Allow-Origin" value="domain" />
    </customheaders>
    </httpprotocol>
    </system.webserver>
    </configuration>

ASP.NET

  • If you don't have access to configure IIS, you can still add the header through ASP.NET by adding the following line to your source pages:Response.AppendHeader("Access-Control-Allow-Origin", "domain");
Required Skills for Successful Exploitation
Actions To Take
Vulnerability Index

You can search and find all vulnerabilities

Select Vulnerability
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Featured resources

Blog

Strengthening enterprise application security: Invicti acquires Kondukto

Blog

Modern AppSec KPIs: Moving from scan counts to real risk reduction

Blog

Friends don’t let friends shift left: Shift smarter with DAST-first AppSec

Blog

Vibe talking: Dan Murphy on the promises, pitfalls, and insecurities of vibe coding

Blog

What lies ahead for CMS.

Blog

How to integrate CMS with other tools.

Blog

Improve user experience through CMS.

Blog

How CMS can benefit e-commerce.

Blog

Stay updated on CMS trends.

Blog

Tips for improving CMS performance.

Blog

Learn how to secure your CMS.

Blog

Explore the advantages of CMS.

Blog

A comprehensive guide to CMS.

Build your resistance to threats. And save hundreds of hours each month.