Description

Detects insecure CORS (Cross-Origin Resource Sharing) configurations in Go Gin applications that allow all origins (*). Using wildcard CORS configuration bypasses Same-Origin Policy protections and allows any domain to make cross-origin requests to your application, potentially enabling cross-site attacks.

Detection Strategy

• Identifies when CORS configuration is created using cors.Config in Go code

• Examines the CORS configuration parameters to check if AllowOrigins or similar fields contain wildcard (*) values

• Reports a vulnerability when CORS is configured to allow all origins, which is an insecure practice

• Focuses on Go Gin framework's CORS middleware configuration patterns

Vulnerable code example

package main

import (
    "github.com/gin-contrib/cors"
    "github.com/gin-gonic/gin"
    "time"
)
...

✅ Secure code example

package main

import (
    "github.com/gin-contrib/cors"
    "github.com/gin-gonic/gin"
    "time"
)
...