Typescript Cors Wildcard Origin With Credentials
Description
Detects insecure CORS (Cross-Origin Resource Sharing) configurations in Koa applications where wildcard origins (*) are used together with credentials. This combination creates a serious security risk by potentially allowing any origin to make authenticated requests to the application.
Detection Strategy
• Check Koa application configuration code for CORS middleware or settings
• Look for CORS configuration that sets 'origin' to '*' or wildcard pattern
• Verify if credentials are enabled in the same CORS configuration
• Report vulnerability if wildcard origin is used together with credentials enabled
Vulnerable code example
const Koa = require('koa');
const cors = require('@koa/cors');
const app = new Koa();
// VULNERABLE: Enables CORS with dangerous wildcard origin and credentials
app.use(cors({
origin: '*', // Security risk: Allows requests from any domain
credentials: true // Dangerous when combined with wildcard origin...✅ Secure code example
const Koa = require('koa');
const cors = require('@koa/cors');
const app = new Koa();
// Define allowed origins for better security
const allowedOrigins = [
'https://trusted-app.com',
'https://api.trusted-app.com'...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.