HIGH cors wildcardsailsbasic auth

Cors Wildcard in Sails with Basic Auth

Scan for cors wildcard in sails

Cors Wildcard in Sails with Basic Auth — how this specific combination creates or exposes the vulnerability

When an API built with Sails.js uses both a wildcard CORS policy and HTTP Basic Authentication, it can unintentionally permit cross-origin authenticated requests that should be restricted. In Sails, the CORS configuration is typically defined in config/cors.js. A common developer mistake is setting origin: "*" while also expecting Basic Auth (a username and password transmitted in the Authorization header) to protect access.

Browsers enforce CORS for cross-origin requests that include credentials such as HTTP Basic Auth. If credentials: true is not set alongside a specific origin, a wildcard origin: "*" is disallowed by the browser when credentials are present. However, some non-browser clients or misconfigured HTTP clients may not enforce this rule strictly. In Sails, if the CORS settings permit any origin and the application accepts Basic Auth, an attacker can craft a request from an arbitrary origin that includes valid credentials. Because CORS is a browser-enforced mechanism, server-side Sails code might still process the request as authenticated, assuming the Authorization header is valid.

This combination exposes two related risks. First, it can facilitate cross-origin authenticated requests where the origin is not explicitly trusted, potentially bypassing intended access controls. Second, if the API also reflects or leaks request details, it may aid in further attacks such as CSRF or unauthorized data access. For example, an attacker’s webpage could include an Image tag or an XMLHttpRequest that sends a request with Basic Auth headers to the Sails endpoint. While the browser may block the response in a web context, the server has already processed the request, and any side effects or data exposure occur.

Using middleBrick to scan such an API will flag the CORS misconfiguration and the presence of Basic Auth in unauthenticated scans, highlighting the risky pairing. The scanner’s checks for Authentication and Property Authorization can surface the exposed endpoint, and findings will include remediation guidance to align the CORS policy with the authentication mechanism.

Basic Auth-Specific Remediation in Sails — concrete code fixes

To secure a Sails API that uses HTTP Basic Authentication, explicitly define allowed origins and ensure that CORS settings match the trust boundary of your authentication. Avoid using a wildcard origin when credentials are required. Below is a minimal, secure configuration example.

// config/cors.js
module.exports.cors = {
  origin: 'https://trusted.example.com',
  credentials: true,
  allowHeaders: ['authorization', 'content-type'],
  exposedHeaders: [],
  maxAge: 3600,
  routes: {
    // exclude paths that do not need CORS, such as health checks
    ignoreRoutes: ['swagger.json', 'health']
  }
};

In your Sails controllers or policies, validate the Origin header when processing requests that include Basic Auth. This reinforces CORS enforcement at the application level. Here is an example policy that checks the origin before allowing the request to proceed.

// api/policies/basicAuthCorsPolicy.js
module.exports = function (req, res, next) {
  const allowedOrigin = 'https://trusted.example.com';
  const requestOrigin = req.headers.origin;
  const authHeader = req.headers.authorization;

  if (authHeader && authHeader.startsWith('Basic ')) {
    if (requestOrigin !== allowedOrigin) {
      return res.forbidden({
        error: 'CORS origin not allowed',
        message: 'Requests with Basic Auth must come from the trusted origin.'
      });
    }
  }
  return next();
};

Ensure your Basic Auth implementation does not leak credentials in logs or error messages. When parsing the Authorization header, avoid exposing the raw header value. Below is a safe example of extracting and validating credentials in a Sails route without echoing sensitive data.

// api/controllers/UserController.js
const auth = require('basic-auth');

module.exports = {
  login: function (req, res) {
    const user = auth(req);
    if (!user || !validateCredentials(user.name, user.pass)) {
      return res.unauthorized('Invalid credentials');
    }
    // Proceed with authenticated logic
    return res.ok({ session: 'token-or-cookie-based-session' });
  }
};

For production, prefer token-based authentication over Basic Auth where possible, but if you must use Basic Auth, enforce strict CORS rules and monitor scans with tools like middleBrick to detect misconfigurations early.

Related CWEs: dataExposure

CWE IDNameSeverity
CWE-200Exposure of Sensitive Information HIGH
CWE-209Error Information Disclosure MEDIUM
CWE-213Exposure of Sensitive Information Due to Incompatible Policies HIGH
CWE-215Insertion of Sensitive Information Into Debugging Code MEDIUM
CWE-312Cleartext Storage of Sensitive Information HIGH
CWE-359Exposure of Private Personal Information (PII) HIGH
CWE-522Insufficiently Protected Credentials CRITICAL
CWE-532Insertion of Sensitive Information into Log File MEDIUM
CWE-538Insertion of Sensitive Information into Externally-Accessible File HIGH
CWE-540Inclusion of Sensitive Information in Source Code HIGH
Scan for cors wildcard in sails Free API security scan

Frequently Asked Questions

Why does setting origin: "*" with credentials create a security risk in Sails?
A wildcard origin with credentials can allow cross-origin authenticated requests from untrusted origins because browsers block such combinations unless origins are explicitly listed. This may permit unauthorized origins to make authenticated requests that the server processes, undermining intended access controls.
Does middleBrick fix CORS or Basic Auth issues?
middleBrick detects and reports misconfigurations, including CORS wildcard usage and Basic Auth exposure, providing remediation guidance. It does not automatically fix, patch, block, or remediate issues.

Related Pages

Cors Wildcard in SailsSails CORS wildcard misconfigurations create dangerous cross-origin attack surfaces. Learn Sails-specific detection and Cors Wildcard with Basic AuthHow CORS wildcard configurations create vulnerabilities when combined with Basic Auth authentication, including detectioCors Wildcard in Sails on CloudflareUnderstand how CORS wildcard misconfigurations in Sails apps behind Cloudflare create security risks and apply concrete Cors Wildcard in Sails on HerokuUnderstand how CORS wildcard misconfigurations in Sails on Heroku expose APIs, and apply concrete fixes with environmentCors Wildcard in Sails on AzureCORS wildcard risks in Sails hosted on Azure, with secure configuration examples and Azure-specific hardening guidance.Cors Wildcard in Sails on DockerCORS wildcard risks in Sails running inside Docker, with Docker-specific remediation and configuration examples.Pci Dss: Cors Wildcard in SailsExplore how wildcard CORS in Sails can conflict with Pci DSS, and apply concrete configuration fixes to restrict originsSoc2: Cors Wildcard in SailsUnderstand how wildcard CORS in Sails affects SOC 2 controls and apply concrete fixes with code examples for origin alloIso 27001: Cors Wildcard in SailsUnderstand the conflict between wildcard CORS and ISO 27001 in Sails, and apply concrete remediation with code examples.Cis: Cors Wildcard in SailsUnderstanding Cis risks with wildcard CORS in Sails and secure configuration patterns with concrete code examples.Cors Wildcard in Sails with DynamodbCORS wildcard risks in Sails with DynamoDB: causes, remediation, and code examples for securing origins and tenant isolaCors Wildcard in Sails with CockroachdbAnalyze CORS wildcard risks with CockroachDB in Sails, with concrete remediation code and policy checks.