mirror of
https://github.com/github/codeql.git
synced 2025-12-16 16:53:25 +01:00
Updated qhelp for cors permissive configuration
This commit is contained in:
Napalys Klicius
@@ -3,69 +3,71 @@
|
||||
"qhelp.dtd">
|
||||
<qhelp>
|
||||
|
||||
<overview>
|
||||
<p>
|
||||
<overview>
|
||||
<p>
|
||||
|
||||
A server can use <code>CORS</code> (Cross-Origin Resource Sharing) to relax the
|
||||
restrictions imposed by the <code>SOP</code> (Same-Origin Policy), allowing controlled, secure
|
||||
cross-origin requests when necessary.
|
||||
A server can use CORS (Cross-Origin Resource Sharing) to relax the
|
||||
restrictions imposed by the Same-Origin Policy, allowing controlled, secure
|
||||
cross-origin requests when necessary.
|
||||
|
||||
A server with an overly permissive <code>CORS</code> configuration may inadvertently
|
||||
expose sensitive data or lead to <code>CSRF</code> which is an attack that allows attackers to trick
|
||||
users into performing unwanted operations in websites they're authenticated to.
|
||||
</p>
|
||||
<p>
|
||||
|
||||
</p>
|
||||
A server with an overly permissive CORS configuration may inadvertently
|
||||
expose sensitive data or enable CSRF attacks, which allow attackers to trick
|
||||
users into performing unwanted operations on websites they're authenticated to.
|
||||
|
||||
</overview>
|
||||
</p>
|
||||
</overview>
|
||||
|
||||
<recommendation>
|
||||
<p>
|
||||
<recommendation>
|
||||
<p>
|
||||
|
||||
When the <code>origin</code> is set to <code>true</code>, it signifies that the server
|
||||
is accepting requests from <code>any</code> origin, potentially exposing the system to
|
||||
CSRF attacks. This can be fixed using <code>false</code> as origin value or using a whitelist.
|
||||
When the <code>origin</code> is set to <code>true</code>, the server
|
||||
accepts requests from any origin, potentially exposing the system to
|
||||
CSRF attacks. Use <code>false</code> as the origin value or implement a whitelist
|
||||
of allowed origins instead.
|
||||
|
||||
</p>
|
||||
<p>
|
||||
</p>
|
||||
<p>
|
||||
|
||||
On the other hand, if the <code>origin</code> is
|
||||
set to <code>null</code>, it can be exploited by an attacker to deceive a user into making
|
||||
requests from a <code>null</code> origin form, often hosted within a sandboxed iframe.
|
||||
When the <code>origin</code> is set to <code>null</code>, it can be
|
||||
exploited by an attacker who can deceive a user into making
|
||||
requests from a <code>null</code> origin, often hosted within a sandboxed iframe.
|
||||
|
||||
</p>
|
||||
</p>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
If the <code>origin</code> value is user-controlled, ensure that the data
|
||||
is properly sanitized and validated against a whitelist of allowed origins.
|
||||
|
||||
If the <code>origin</code> value is user controlled, make sure that the data
|
||||
is properly sanitized.
|
||||
</p>
|
||||
</recommendation>
|
||||
|
||||
</p>
|
||||
</recommendation>
|
||||
<example>
|
||||
<p>
|
||||
|
||||
<example>
|
||||
<p>
|
||||
In the following example, <code>server_1</code> accepts requests from any origin
|
||||
because the value of <code>origin</code> is set to <code>true</code>.
|
||||
<code>server_2</code> uses user-controlled data for the origin without validation.
|
||||
|
||||
In the example below, the <code>server_1</code> accepts requests from any origin
|
||||
since the value of <code>origin</code> is set to <code>true</code>.
|
||||
And <code>server_2</code>'s origin is user-controlled.
|
||||
</p>
|
||||
|
||||
</p>
|
||||
<sample src="examples/CorsPermissiveConfigurationBad.js"/>
|
||||
|
||||
<sample src="examples/CorsPermissiveConfigurationBad.js"/>
|
||||
<p>
|
||||
|
||||
<p>
|
||||
To fix these issues, <code>server_1</code> uses a restrictive CORS configuration
|
||||
that is not vulnerable to CSRF attacks. <code>server_2</code> properly validates
|
||||
user-controlled data against a whitelist before using it.
|
||||
|
||||
In the example below, the <code>server_1</code> CORS is restrictive so it's not
|
||||
vulnerable to CSRF attacks. And <code>server_2</code>'s is using properly sanitized
|
||||
user-controlled data.
|
||||
</p>
|
||||
|
||||
</p>
|
||||
<sample src="examples/CorsPermissiveConfigurationGood.js"/>
|
||||
</example>
|
||||
|
||||
<sample src="examples/CorsPermissiveConfigurationGood.js"/>
|
||||
</example>
|
||||
|
||||
<references>
|
||||
<li>Mozilla Developer Network: <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin">CORS, Access-Control-Allow-Origin</a>.</li>
|
||||
<li>W3C: <a href="https://w3c.github.io/webappsec-cors-for-developers/#resources">CORS for developers, Advice for Resource Owners</a></li>
|
||||
</references>
|
||||
<references>
|
||||
<li>Mozilla Developer Network: <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin">CORS, Access-Control-Allow-Origin</a>.</li>
|
||||
<li>W3C: <a href="https://w3c.github.io/webappsec-cors-for-developers/#resources">CORS for developers, Advice for Resource Owners</a>.</li>
|
||||
</references>
|
||||
</qhelp>
|
||||
|
||||
Reference in New Issue
Block a user