Security Test: CORS¶

Description¶

Default Severity:

CORS issues happen when a web server is set up to share resources with other websites in a way that's too open or not specific enough. This means that attackers might trick browsers into sending requests from an authenticated session to the wrong place, which could let them perform actions the user didn’t intend. The danger comes when these open policies let outsiders execute unauthorized commands or access sensitive data, so it’s important for developers to carefully restrict which sites can interact with their applications. A common mistake is using overly broad rules (like wildcards) instead of specifying trusted origins, which can inadvertently give attackers a way in.

Reference:

https://portswigger.net/web-security/cors

Configuration¶

Identifier: protocol/cors

Examples¶

All configuration available:

checks:
  protocol/cors:
    skip: false # default

Compliance and Standards¶

Standard	Value
OWASP API Top 10	API7:2023
OWASP LLM Top 10	LLM06:2023
PCI DSS	`6.5.9`
GDPR	`Article-32`
SOC2	`CC1`
PSD2	`Article-95`
ISO 27001	`A.14.2`
NIST	`SP800-53`
FedRAMP	`AC-4`
CWE	`942`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C`
CVSS Score	`5.1`