Python Cors Wildcard Origin
Description
Detects insecure CORS configurations in Flask applications where wildcard origins ('*') are used. This configuration allows any domain to make cross-origin requests to your API, potentially exposing sensitive data to malicious websites.
Detection Strategy
• Check for CORS configuration calls in Flask applications
• Examine if CORS is initialized with wildcard origin ('*') or allows all origins
• Verify the CORS configuration is applied to a Flask application instance
• Report a vulnerability when CORS is configured to accept requests from any origin
Vulnerable code example
from flask import Flask
from flask_cors import CORS
app = Flask(__name__)
# Vulnerable: Allows requests from any origin without restrictions
CORS(app) # Opens API to any domain, risking cross-origin attacks
...✅ Secure code example
from flask import Flask
from flask_cors import CORS
app = Flask(__name__)
# Secure: Restrict CORS to specific trusted origins and methods
CORS(app,
resources={...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.