search

AkiraBrown / rc_test_part_2

Part 2 of Red Canary Take Home work (Detection Engineer)
0 stars 0 forks source link

Bug(server/app.js): CORS incorrectly configured #1

Closed AkiraBrown closed 6 days ago

AkiraBrown commented 1 week ago

On line 9, there are no CORS configurations passed to the CORS function which means the API could receive request from anywhere. This establishes a problem since an attacker can send whatever request they want to our API. 

app.use(cors());
const targetUrl =
  process.env.NODE_ENV === "production"
    ? "<INSERT DEPLOYED FRONTEND LINK>"
    : "http://localhost:3000";
const corsOptions = {
  origin: (origin, callback) => {
    if (origin === targetUrl) {
      callback(null, true);
    } else {
      callback(new Error("Not allowed by CORS").message, false);
    }
  },
  methods: ["GET"],
  maxAge: 3600,
  credentials: true,
};
app.use(cors(corsOptions));

CORS Configuration

AkiraBrown commented 6 days ago

Fix

Locked API requests to be allowed from one link.