MEDIUM CORS Misconfiguration

Cors Wildcard in APIs

Scan your API for cors wildcard

What is CORS Wildcard?

CORS (Cross-Origin Resource Sharing) wildcard vulnerability occurs when APIs configure their CORS headers to accept requests from any origin using the asterisk (*) wildcard. This is typically seen in the Access-Control-Allow-Origin header set to *, which tells browsers to allow any website to make cross-origin requests to your API.

The vulnerability arises from overly permissive CORS configurations that fail to restrict which domains can access your API. When an API responds with Access-Control-Allow-Origin: *, it effectively removes the browser's same-origin policy protection for that endpoint, allowing any website to interact with your API as if it were their own.

This becomes particularly dangerous when combined with authentication mechanisms like cookies or authorization headers, as malicious sites can then make requests on behalf of authenticated users without their knowledge.

How CORS Wildcard Affects APIs

The impact of CORS wildcard vulnerabilities varies based on your API's authentication model and the sensitivity of the data it handles. Here are the primary attack scenarios:

  • Data Harvesting: Attackers can create malicious websites that automatically harvest data from your API by making authenticated requests on behalf of logged-in users. This is especially dangerous for APIs handling personal information, financial data, or proprietary business information.
  • Credential Theft via CSRF: While CORS itself doesn't bypass CSRF protections, the combination of wildcard CORS and missing CSRF tokens creates a perfect storm. Attackers can craft sites that trick users into making state-changing requests to your API.
  • API Abuse: Public APIs with wildcard CORS become targets for abuse, as anyone can integrate them into malicious applications without restrictions.
  • Information Disclosure: Even without authentication, wildcard CORS can expose API endpoints and their responses to unauthorized third-party sites, potentially revealing internal system details.

A real-world example: In 2020, a popular fitness tracking API was found to have wildcard CORS enabled on endpoints that returned user location data and activity logs. This allowed any website to track users' movements by simply having them visit a malicious page while logged into the fitness service.

How to Detect CORS Wildcard

Detecting CORS wildcard vulnerabilities requires both manual testing and automated scanning. Here's what to look for:

  • Manual Testing: Use browser developer tools or curl to make cross-origin requests to your API endpoints. Check the Access-Control-Allow-Origin response header. If it's set to *, you have a wildcard configuration.
  • Automated Scanning: Tools like middleBrick automatically detect CORS misconfigurations during its 5-15 second security scan. The scanner tests various origins and identifies endpoints with wildcard CORS policies.
  • OPTIONS Method Testing: Many APIs implement CORS by handling OPTIONS preflight requests. Test these endpoints specifically, as they're common locations for wildcard configurations.
  • Configuration Review: Examine your web server or application framework's CORS middleware configuration. Look for settings that use wildcards or broad origin matching patterns.

middleBrick's CORS detection goes beyond simple header checking. It analyzes the context of wildcard usage, checking whether sensitive endpoints are affected and whether authentication mechanisms are in use. The scanner provides specific findings with severity levels and remediation guidance tailored to your API's configuration.

Prevention & Remediation

Fixing CORS wildcard vulnerabilities requires a security-first approach to cross-origin resource sharing. Here are concrete remediation steps:

  1. Whitelist Specific Origins: Replace * with a comma-separated list of trusted domains. For example:
    // Node.js/Express example
app.use(cors({
  origin: ['https://yourdomain.com', 'https://yourapp.com'],
  credentials: true
}));
  2. Implement Dynamic Origin Validation: For APIs with many trusted origins, validate the Origin header against a database of allowed domains:
    // Dynamic origin validation
const allowedOrigins = await getAuthorizedOrigins(apiKey);
const corsOptions = {
  origin: function (origin, callback) {
    if (allowedOrigins.includes(origin)) {
      callback(null, true);
    } else {
      callback(new Error('Not allowed by CORS'));
    }
  }
};
  3. Restrict Credentials: When using Access-Control-Allow-Origin: *, browsers automatically set Access-Control-Allow-Credentials: false. If you need credentialed requests, you cannot use wildcards and must specify exact origins.
  4. Audit Third-Party Libraries: Many frameworks have default CORS configurations that use wildcards. Review and override these defaults in your application code.
  5. Implement Additional Security Layers: Combine proper CORS configuration with CSRF tokens, rate limiting, and authentication checks to provide defense in depth.

For APIs that legitimately need to be public, consider implementing API keys or OAuth instead of relying on CORS for access control. CORS is about browser security, not API authentication.

Real-World Impact

CORS wildcard vulnerabilities have caused significant security incidents across various industries. While specific company names are often kept confidential, the patterns are well-documented:

  • Financial Services: Investment platforms have exposed portfolio data through wildcard CORS, allowing malicious investment tracking sites to harvest user financial information without authorization.
  • Healthcare APIs: Medical data APIs with wildcard CORS have led to unauthorized access to patient records when combined with weak authentication mechanisms.
  • Social Media Platforms: Several social networks have had user profile data and activity feeds exposed through overly permissive CORS policies, enabling cross-site tracking and data harvesting.

The OWASP API Security Top 10 includes CORS misconfiguration as a significant concern, particularly when it enables data exposure or authentication bypass. CVE-2021-38513 documented a CORS misconfiguration in a popular collaboration platform that allowed unauthorized cross-origin access to user data.

The financial impact extends beyond data breaches. Companies facing CORS-related incidents often incur costs from incident response, customer notifications, regulatory fines (especially under GDPR and CCPA), and loss of user trust. Implementing proper CORS controls is a cost-effective preventive measure compared to the potential damages of exploitation.

Scan for cors wildcard View all security checks

Frequently Asked Questions

Is CORS wildcard always a vulnerability?
Not necessarily. CORS wildcard is only a vulnerability when it exposes sensitive data or allows unauthorized actions. Public APIs that serve non-sensitive content and don't rely on authentication may legitimately use wildcard CORS. The key question is whether the exposed functionality should be accessible from any origin.
How does CORS wildcard differ from CORS misconfiguration?
CORS wildcard is a specific type of CORS misconfiguration where the origin is set to *. CORS misconfiguration is broader and includes other issues like allowing credentials with wildcard origins, overly permissive methods/headers, or failing to validate the Origin header properly. All CORS wildcard issues are misconfigurations, but not all CORS misconfigurations involve wildcards.
Can CORS protect my API from attacks?
No. CORS is a browser security mechanism, not an API security control. It prevents browsers from making cross-origin requests in ways that would violate the same-origin policy, but it doesn't protect your API from direct attacks, bots, or requests from non-browser clients. Always implement proper authentication, authorization, and input validation regardless of your CORS configuration.