Vulnerability : Server-Generated ACAO Header From Client-Specified Origin header

[sgwgsw]

ModernWMS/backend/ModernWMS.Core/Middleware/CorsMiddleware.cs

Lines 38 to 51 in 62e1727

	if (httpContext.Request.Method == "OPTIONS")
	{
	httpContext.Response.Headers.Add("Access-Control-Allow-Origin", httpContext.Request.Headers["Origin"]);
	httpContext.Response.Headers.Add("Access-Control-Allow-Headers", httpContext.Request.Headers["Access-Control-Request-Headers"]);
	httpContext.Response.Headers.Add("Access-Control-Allow-Methods", "PUT,POST,GET,DELETE,OPTIONS,HEAD,PATCH");
	httpContext.Response.Headers.Add("Access-Control-Allow-Credentials", "true");
	httpContext.Response.Headers.Add("Access-Control-Max-Age", "86400");
	httpContext.Response.StatusCode = StatusCodes.Status200OK;
	return Task.CompletedTask;
	}
	if (httpContext.Request.Headers["Origin"] != "")
	{
	httpContext.Response.Headers.Add("Access-Control-Allow-Origin", httpContext.Request.Headers["Origin"]);
	}

The client's Origin header is reflected in the Access-Control-Allow-Origin header from the server, granting any domain access to CORS resources. There should be a white-list in the configuration that lists allowed Origin headers.

The issue is made worse with "Access-Control-Allow-Credentials: true". Now that any domain can access the endpoints, they also can also authenticate as another user. This can be done by sending a crafted link to a user who is logged in (presumably, unless session token is persistent) - once clicked, the script would send a CORS request to sensitive endpoints and the browser would send along their cookies since "Access-Control-Allow-Credentials: true" is set.

More info on vulnerability - https://portswigger.net/web-security/cors#server-generated-acao-header-from-client-specified-origin-header

[JawerZ]

The situations you mentioned exist, but users need to limit them according to their actual needs