ajinabraham.njsscan.header_cors_star.express_cors
ajinabrahamAuthor
1,129
Download Count*
License
Access-Control-Allow-Origin response header is set to "*". This will disable CORS Same Origin Policy restrictions.
Run Locally
Run in CI
Defintion
rules:
- id: express_cors
patterns:
- pattern-either:
- pattern-inside: function ($REQ, $RES, ...) {...}
- pattern-inside: function $FUNC($REQ, $RES, ...) {...}
- pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...}
- pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...};
- pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...})
- pattern-either:
- pattern: |
$APP.options('*', cors(...))
- pattern: |
$RES.set("=~/access-control-allow-origin/i", '*', ...)
- pattern: |
$RES.set(..., { "=~/access-control-allow-origin/i" : '*' }, ...)
- pattern: |
$RES.header("=~/access-control-allow-origin/i", '*', ...)
- pattern: >
$RES.writeHead(..., {"=~/access-control-allow-origin/i": '*' },
...)
message: Access-Control-Allow-Origin response header is set to "*". This will
disable CORS Same Origin Policy restrictions.
languages:
- javascript
severity: WARNING
metadata:
owasp-web: a6
cwe: cwe-346
license: LGPL-3.0-or-later
Short Link: https://sg.run/3xlD