Cors Wildcard with Jwt Tokens

middleBrick detects this misconfiguration by performing a black‑box CORS probe as part of its 12 parallel checks. The scanner:

1. Sends an OPTIONS request (or a simple GET with custom headers) containing an attacker‑controlled Origin value (e.g., https://evil.example.com).
2. Examines the response for:
• Access-Control-Allow-Origin that either mirrors the supplied origin or is set to *.
• Access-Control-Allow-Credentials: true present when the origin is not a fixed trusted list.
• The presence of an Authorization header in the request (indicating token‑based auth) and, crucially, whether the response body contains data that would be useful to an attacker (often the API returns user profile or token details).
3. If the origin is reflected and credentials are allowed, middleBrick flags the finding as CORS wildcard with credential‑enabled endpoint and tags it with the Broken Authentication category, providing a severity of high.

The scanner does not need any credentials or agents; it works solely against the unauthenticated attack surface. For JWT‑specific context, middleBrick also checks whether the endpoint expects a JWT (by looking for the Bearer pattern in the Authorization header of normal requests) and notes that the exposed token could be harvested.

Example of a middleBrick CLI invocation that would reveal this issue:

middlebrick scan https://api.example.com/users/me

The resulting report would include a finding similar to:

• Finding: CORS header Access-Control-Allow-Origin: * combined with Access-Control-Allow-Credentials: true
• Endpoint: GET /users/me
• Impact: Potential JWT token leakage via cross‑origin request
• Remediation: Restrict allowed origins and disable credentials for wildcard origins.

Fixing the issue requires aligning the CORS policy with the authentication mechanism. The following principles apply:

• Never use Access-Control-Allow-Origin: * when the request includes credentials (cookies, HTTP auth, or client‑sent JWT headers).
• Maintain an explicit list of trusted origins.
• If credentials are not needed, set Access-Control-Allow-Credentials: false (or omit the header) and keep the wildcard only for public resources.

Below are concrete, syntactically correct examples for common stacks.

Node.js / Express with the cors package

Misconfigured:

const express = require('express');
const cors = require('cors');
const app = express();

app.use(cors({
  origin: '*',            // ❌ wildcard
  credentials: true       // ❌ enables credentials with wildcard
}));

app.get('/api/profile', (req, res) => {
  const token = req.headers.authorization; // Expects Bearer JWT
  // … token validation …
  res.json({ user: getUserFromToken(token) });
});

app.listen(3000);

Corrected:

const express = require('express');
const cors = require('cors');
const app = express();

const allowedOrigins = [
  'https://app.example.com',
  'https://portal.example.com'
];

app.use(cors({
  origin: allowedOrigins,   // ✅ explicit list
  credentials: true         // ✅ safe because origin is not a wildcard
}));

app.get('/api/profile', (req, res) => {
  const token = req.headers.authorization;
  // Validate JWT
  res.json({ user: getUserFromToken(token) });
});

app.listen(3000);

Python / Flask with flask-cors

Misconfigured:

from flask import Flask, request, jsonify
from flask_cors import CORS

app = Flask(__name__)
CORS(app, origins='*', supports_credentials=True)  # ❌

@app.route('/me')
def me():
    auth = request.headers.get('Authorization')
    # Expects Bearer JWT
    return jsonify(user=decode_jwt(auth))

if __name__ == '__main__':
    app.run()

Corrected:

from flask import Flask, request, jsonify
from flask_cors import CORS

app = Flask(__name__)

trusted_origins = [
    'https://app.example.com',
    'https://portal.example.com'
]
CORS(app, origins=trusted_origins, supports_credentials=True)  # ✅

@app.route('/me')
def me():
    auth = request.headers.get('Authorization')
    return jsonify(user=decode_jwt(auth))

if __name__ == '__main__':
    app.run()

After applying the fix, rerun middleBrick (via CLI, Dashboard, GitHub Action, or MCP Server) to verify that the CORS wildcard finding disappears and the API’s security score improves.