This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Talk:Test Cross Origin Resource Sharing (OTG-CLIENT-007)

From OWASP

Revision as of 20:33, 25 February 2019 by Collin Sauve (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Jump to: navigation, search

I've removed the bad "Gray Box" examples as they are BOTH bad:

Example 1 is not an example of an inherently insecure request. Allowing all origins is perfectly fine UNLESS you also allow credentials. If anyone wants to claim that it is insecure you'll need to justify your reasoning here not just assert it.

Example 2 is an XSS problem. The only that that CORS could do here is CORS headers on the ATTACKER'S site could mitigate that, which is outside of your control. Just a terrible, terrible example of CORS misconfigurations since the "misconfiguration" is on the attackers site. Amazing that this example made it into this wiki in the first place.

Collin Sauve (talk) 14:33, 25 February 2019 (CST)

Retrieved from "https://wiki.owasp.org/index.php?title=Talk:Test_Cross_Origin_Resource_Sharing_(OTG-CLIENT-007)&oldid=247835"