logo

Database

C Sharp Allow Any Origin Cors

Description

Identifies insecure CORS configurations in C# applications that allow requests from any origin (*). This misconfiguration exposes APIs to cross-origin requests from any domain, potentially enabling cross-site attacks and unauthorized data access.

Weakness:

134 - Insecure or unset HTTP headers - CORS

Category: Protocol Manipulation

Detection Strategy

    Detects calls to AllowAnyOrigin() method in CORS configuration

    Identifies UseCors() middleware configuration that allows any origin (*)

    Reports vulnerability when CORS is configured to accept requests from any origin without restriction

    Flags insecure CORS policies defined through variables that set unrestricted origins

Vulnerable code example

using System.Net;

public class CorsConfig 
{
    public void Configure(IApplicationBuilder app)
    {
        // VULNERABLE: Allows all origins, methods and headers - opens app to CORS attacks
        var corsBuilder = new CorsPolicyBuilder();...

✅ Secure code example

using System.Net;

public class CorsConfig 
{
    public void Configure(IApplicationBuilder app)
    {
        // Secure: Explicitly specify allowed origins, methods and headers
        var corsBuilder = new CorsPolicyBuilder();...