Merge pull request #207 from righettod/add_cors

Propose check to detect misconfiguration for CORS credentials requested.
PortSwigger · May 13, 2024 · e32801d · e32801d
2 parents 4dd9a93 + e133133
commit e32801d
Showing 1 changed file with 18 additions and 0 deletions.
diff --git a/other/corsCredentialedRequestsMisconfiguration.bcheck b/other/corsCredentialedRequestsMisconfiguration.bcheck
@@ -0,0 +1,18 @@
+metadata:
+    language: v2-beta
+    name: "Invalid CORS configuration for credentialed requests detected"
+    description: "Checks for a broken CORS configuration case: Credentialed requests and wildcards."
+    author: "Dominique Righetto"
+    tags: "passive", "informative"
+
+# The server must not specify the "*" wildcard for the Access-Control-Allow-Origin response-header value, but must instead specify an explicit origin 
+# Source: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#requests_with_credentials
+given response then
+    if {latest.response.headers} matches "(?i)Access-Control-Allow-Origin:\s+\*" and
+        {latest.response.headers} matches "(?i)Access-Control-Allow-Credentials:\s+true" then
+        report issue:
+            severity: info
+            confidence: firm
+            detail: "Credentialed CORS requests cannot used wildcards origins."
+            remediation: "Specify an explicit allow origin. Refer to the Mozilla CORS documentation for technical details: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#requests_with_credentials"
+    end if