CORS implementation

Our security team identified that the web server accepts arbitrary origin request header. The application implements cross-origin resource sharing (CORS) policy for this request that allows access from any domain. We tried request with different origins (www.fakedomain.com) and it is accepted by server and valid response is sent back.  (poc attached: “cors origin”)

Although, in our case

  1. Embedded Domain Allow list is empty, which we are  assuming that it permits request only from our looker domain 
  2. Same-Origin Protections for Looker Login Pages was enabled 

still the security team was able to successfully request access from a different domain
 

please help us understand is there any additional steps to be followed to ensure  that,

  1. request with different origins (www.fakedomain.com) ,  is not accepted by the server.
0 2 152
2 REPLIES 2

leobardor
Participant V

Hi AnalystHOK

Were you able to execute a script ?

In the HTTP Header when parameter  “Origin: https://fakedomain.com” was passed 
Web Server accepts arbitrary Origin Header and sends valid response code 200