Python Cors Allow Any Origin
Description
Detects insecure Cross-Origin Resource Sharing (CORS) configuration in Python Starlette applications where CORSMiddleware is configured to allow any origin. This creates a security risk by bypassing Same-Origin Policy restrictions, potentially allowing malicious websites to make requests to your application.
Detection Strategy
• Identifies usage of Starlette's CORSMiddleware through middleware registration
• Checks for calls to 'add_middleware' method with CORSMiddleware as the first argument
• Examines middleware configuration parameters to detect if CORS settings allow requests from any origin ('*')
• Reports a vulnerability when CORSMiddleware is configured with overly permissive origin settings
Vulnerable code example
from starlette.applications import Starlette
from starlette.middleware.cors import CORSMiddleware
from starlette.responses import JSONResponse
app = Starlette()
# ❌ Dangerous: Allows any origin with credentials enabled
app.add_middleware(...✅ Secure code example
from starlette.applications import Starlette
from starlette.middleware.cors import CORSMiddleware
from starlette.responses import JSONResponse
from starlette.requests import Request
app = Starlette()
# ✅ Secure: Define allowed origins explicitly and restrict CORS settings...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.