Python Http Uncontrolled Cors Origin
Description
Detects insecure Cross-Origin Resource Sharing (CORS) configurations in Python HTTP servers where the Access-Control-Allow-Origin header is set in an unsafe manner. This can allow malicious websites to make requests to your server and access sensitive data.
Detection Strategy
• Identifies Python code using the http.server module for server implementation
• Checks for HTTP response header configurations where Access-Control-Allow-Origin is set
• Reports issues when CORS origin is set to overly permissive values like '*' or when origin validation is insufficient
• Flags cases where CORS headers are dynamically set without proper origin validation logic
Vulnerable code example
from http.server import BaseHTTPRequestHandler
class VulnerableHandler(BaseHTTPRequestHandler):
def do_GET(self):
# VULNERABLE: Directly using untrusted header value in CORS header
origin = self.headers.get('Origin')
self.send_response(200)
self.send_header('Access-Control-Allow-Origin', origin) ...✅ Secure code example
from http.server import BaseHTTPRequestHandler
# Define allowed origins
TRUSTED_ORIGINS = ['https://trusted.com', 'https://partner.com']
class SecureHandler(BaseHTTPRequestHandler):
def do_GET(self):
# Get Origin header and validate against allowlist...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.