| name | sc-cors |
| description | CORS misconfiguration detection โ wildcard origin, reflected origin, null origin, and credential leaks |
| license | MIT |
| metadata | {"author":"ersinkoc","category":"security","version":"1.0.0"} |
SC: CORS Misconfiguration
Purpose
Detects Cross-Origin Resource Sharing misconfigurations that allow unauthorized cross-origin access to sensitive APIs. Covers wildcard origins with credentials, reflected origin without validation, null origin allowance, overly permissive regex matching, and subdomain matching bypasses.
Activation
Called by sc-orchestrator during Phase 2 when HTTP APIs are detected.
Phase 1: Discovery
Keyword Patterns to Search
"Access-Control-Allow-Origin", "cors(", "CORS(",
"allowOrigin", "allow_origin", "AllowOrigin",
"Access-Control-Allow-Credentials",
"corsOptions", "cors_allowed_origins"
Vulnerability Patterns
1. Wildcard with Credentials:
app.use(cors({
origin: '*',
credentials: true
}));
2. Reflected Origin:
app.use((req, res, next) => {
res.setHeader('Access-Control-Allow-Origin', req.headers.origin);
res.setHeader('Access-Control-Allow-Credentials', 'true');
next();
});
const ALLOWED_ORIGINS = ['https://app.example.com', 'https://admin.example.com'];
app.use(cors({
origin: (origin, callback) => {
if (!origin || ALLOWED_ORIGINS.includes(origin)) {
callback(null, true);
} else {
callback(new Error('CORS not allowed'));
}
},
credentials: true
}));
3. Null Origin Allowed:
CORS_ALLOWED_ORIGINS = ['null']
4. Regex Bypass:
origin: /\.example\.com$/
origin: /^https:\/\/([a-z]+\.)?example\.com$/
Severity Classification
- Critical: Reflected origin + credentials on endpoints with sensitive data
- High: Null origin allowed + credentials, regex bypass allowing attacker domains
- Medium: Wildcard origin on non-credential endpoints with sensitive data
- Low: Overly permissive CORS on public data endpoints
Output Format
Finding: CORS-{NNN}
- Title: CORS Misconfiguration โ {type}
- Severity: Critical | High | Medium | Low
- Confidence: 0-100
- File: file/path:line
- Vulnerability Type: CWE-942 (Permissive Cross-domain Policy)
- Description: {CORS configuration allows unauthorized cross-origin access.}
- Impact: Cross-origin data theft, account takeover via CSRF-like attacks.
- Remediation: Implement strict origin allowlist. Never reflect origin without validation.
- References: https://cwe.mitre.org/data/definitions/942.html
Common False Positives
- Public APIs โ APIs serving public data may intentionally use
*
- CDN/static assets โ CORS
* on static files is standard practice
- Development configuration โ
localhost origins in dev config
- API gateways โ CORS may be configured at the gateway level, not application level