Ruby Cors Wildcard Origin
Description
Detects insecure CORS (Cross-Origin Resource Sharing) configurations in Ruby on Rails applications that use wildcard (*) origins. Using wildcard CORS origins allows any external domain to make cross-origin requests to your application, potentially exposing sensitive data to malicious websites.
Detection Strategy
• Identifies Rack::Cors middleware configurations in Ruby code
• Examines CORS configuration settings to detect wildcard (*) origins
• Reports a vulnerability when CORS is configured to allow requests from any origin (*)
• Focuses on Rails middleware setup code where CORS rules are defined
Vulnerable code example
Rails.application.config.middleware.insert_before 0, Rack::Cors do
allow do
origins '*' # ⚠️ Vulnerable: Allows requests from any origin
resource '*',
headers: :any,
methods: [:get, :post, :options],
credentials: true # Critical: Allowing credentials with wildcard origin is dangerous
end...✅ Secure code example
Rails.application.config.middleware.insert_before 0, Rack::Cors do
allow do
origins 'https://trusted-frontend.example.com' # Only allow specific trusted domain
resource '*',
headers: :any,
methods: [:get, :post, :options],
credentials: true,
expose: ['Authorization'] # Explicitly specify exposed headers...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.