You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description
Cross-Origin Resource Sharing allows browsers to share information from different domains to enable functionality. The header which controls the domains that can be used is Access-control-allow-origin which determines what is allowed to be shared. In this case, the header was set to O which will allow requests from any domain to access the resources being shared. This can lead to exploits where a malicious actor can send requests from their domain and receive responses that can contain sensitive information.
Evaluation Criteria:
CORS can be tricky for mobile apps. It is a browser security protocol, so it will only apply to software that supports it. Any major web browser will support it, but native mobile traffic usually does not. However, it is called out because many native mobile apps will use web views in order to display content, which is a form of browser and will often respond to the header in question. The endpoints listed in the evidence should be evaluated to see if they are sending responses to a web view in the app and if they are handling sensitive information. If both are the case, then this should likely be elevated to a vulnerability.
Steps To Reproduce
As the app is being exercised on a physical device, each network call is observed. Within those network calls, The header Access-control-allow-origin is checked to ensure that it is not set to *. If it is, then this will fag as an issue.
Business Impact
A resource the app communicates with is not using a best practice that can help prevent sensitive data from being intercepted.
Recommended Fix
This is a backend API problem that may not be in the direct control of the app team. It may be a matter of simply knowing about and accepting the risk posed by a third party. For backend resources that are able to be updated, the Access-control-allow-origin header should specify a specific whitelist of allowed domains, instead of allowing any domain.
Description
Cross-Origin Resource Sharing allows browsers to share information from different domains to enable functionality. The header which controls the domains that can be used is Access-control-allow-origin which determines what is allowed to be shared. In this case, the header was set to O which will allow requests from any domain to access the resources being shared. This can lead to exploits where a malicious actor can send requests from their domain and receive responses that can contain sensitive information.
Evaluation Criteria:
CORS can be tricky for mobile apps. It is a browser security protocol, so it will only apply to software that supports it. Any major web browser will support it, but native mobile traffic usually does not. However, it is called out because many native mobile apps will use web views in order to display content, which is a form of browser and will often respond to the header in question. The endpoints listed in the evidence should be evaluated to see if they are sending responses to a web view in the app and if they are handling sensitive information. If both are the case, then this should likely be elevated to a vulnerability.
Steps To Reproduce
As the app is being exercised on a physical device, each network call is observed. Within those network calls, The header Access-control-allow-origin is checked to ensure that it is not set to *. If it is, then this will fag as an issue.
Business Impact
A resource the app communicates with is not using a best practice that can help prevent sensitive data from being intercepted.
Recommended Fix
This is a backend API problem that may not be in the direct control of the app team. It may be a matter of simply knowing about and accepting the risk posed by a third party. For backend resources that are able to be updated, the Access-control-allow-origin header should specify a specific whitelist of allowed domains, instead of allowing any domain.
Vulnerable Connections
https://api.mixpanel.com/track/?ip=1
The text was updated successfully, but these errors were encountered: