Protocol: CORS¶

Identifier: cors

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner

Description¶

CORS issues happen when a web server is set up to share resources with other websites in a way that's too open or not specific enough. This means that attackers might trick browsers into sending requests from an authenticated session to the wrong place, which could let them perform actions the user didnt intend. The danger comes when these open policies let outsiders execute unauthorized commands or access sensitive data, so its important for developers to carefully restrict which sites can interact with their applications. A common mistake is using overly broad rules (like wildcards) instead of specifying trusted origins, which can inadvertently give attackers a way in.

References:

https://portswigger.net/web-security/cors

Configuration¶

Example¶

Example configuration:

---
security_tests:
  cors:
    assets_allowed:
    - REST
    - GRAPHQL
    - WEBAPP
    skip: false

Reference¶

`assets_allowed`¶

Type : List[AssetType]*

List of assets that this check will cover.

`skip`¶

Type : boolean

Skip the test if true.