Skip to content

CWE-942: Overly Permissive CORS

Overview

This guidance helps you interpret and remediate findings from DAST (Dynamic Application Security Testing) tools. The scanner detected overly permissive cross-domain policies (CORS, crossdomain.xml, Flash policies) allowing untrusted domains to access application resources. Evidence includes Access-Control-Allow-Origin: * headers on sensitive endpoints, acceptance of arbitrary origins in CORS preflight responses, or wildcard policies in crossdomain.xml. The scanner sends requests with various Origin headers and observes permissive CORS responses.

Analyzing the Dynamic Scan Result

What the DAST Scanner Found

DAST findings for CWE-942 typically indicate that cross-origin requests were permitted in ways that exceeded the intended trust boundary, such as:

  • Wildcard origins allowing broad access
  • Origin reflection without trust validation
  • Credentialed requests permitted from untrusted origins
  • Inconsistent enforcement across endpoints

Evidence is based on observed runtime CORS behavior, not on request parameters or payload syntax.

Mapping DAST Findings to Source Code

CWE-942 does not map to a specific vulnerable endpoint. The issue resides in how the application defines and enforces cross-origin trust boundaries.

When tracing this issue in code and configuration, review:

  • Global CORS policies and middleware
  • How allowed origins are defined and enforced
  • Whether credentialed requests are permitted cross-origin
  • Framework defaults or environment-specific overrides
  • Consistency of CORS enforcement across the application

Remediation

Core Principle: Never extend browser trust to unintended origins; cross-origin access must be explicitly limited to a small, well-defined set of trusted origins and enforced consistently by design.

→ For comprehensive remediation guidance, see Static CWE-942 Guidance

Verification and Follow-Up Testing

After applying the fix:

1. Verify Trust Boundary Enforcement

  • Confirm cross-origin access is limited to explicitly approved origins
  • Ensure credentialed requests are not permitted from untrusted origins

2. Test Edge Cases

  • Authenticated vs unauthenticated requests
  • Preflight handling
  • Environment-specific CORS behavior

Re-run DAST Scanner

Re-run the dynamic scanner to confirm overly permissive cross-origin behavior is no longer observed.

Additional Resources