What vulnerability occurs if a website’s CORS policy allows requests from any origin? Learn how CORS misconfiguration exposes APIs to unauthorized access and data theft—essential for the CompTIA Security+ (Plus) SY0-701 exam.
Table of Contents
Question
A web developer accidentally configures a website’s CORS policy to allow requests from any origin (*). An attacker exploits this by making unauthorized API calls on behalf of users. What vulnerability is being exploited?
A. Cross-site scripting (XSS)
B. Cross-site request forgery (CSRF)
C. CORS misconfiguration
D. HTTP response splitting
E. API endpoint poisoning
Answer
C. CORS misconfiguration
Explanation
CORS misconfiguration CORS (Cross-Origin Resource Sharing) controls which domains can make requests to a web application. If it’s misconfigured to allow *, any website can send requests, potentially stealing data or executing unauthorized actions.
The vulnerability being exploited when a website’s CORS (Cross-Origin Resource Sharing) policy is set to allow requests from any origin (*) is CORS misconfiguration.
CORS is a browser security feature that controls which external domains can access resources on a web server. It is enforced by the browser using HTTP headers like Access-Control-Allow-Origin.
When a website’s CORS policy is misconfigured to allow *, it means any website—trusted or malicious—can make requests to the API and potentially access sensitive data or perform actions on behalf of authenticated users.
Attackers can exploit this by creating a malicious website that sends requests to the vulnerable API. If a user is logged in, their credentials (such as cookies or tokens) may be included in the request, allowing the attacker to retrieve sensitive information or perform unauthorized actions.
This misconfiguration defeats the purpose of the Same-Origin Policy (SOP), which is designed to prevent one website from reading data from another without explicit permission.
The impact of CORS misconfiguration can include sensitive data exposure, unauthorized actions, and facilitation of other attacks such as CSRF (Cross-Site Request Forgery).
CORS misconfiguration occurs when a web server’s CORS policy is too permissive, such as allowing any origin (*), enabling attackers to make unauthorized API calls and potentially steal data or perform actions as legitimate users.
CompTIA Security+ (Plus) SY0-701 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the CompTIA Security+ (Plus) SY0-701 exam and earn CompTIA Security+ (Plus) SY0-701 certification.