search

Azure / api-management-developer-portal

Developer portal provided by the Azure API Management service.
MIT License
487 stars 317 forks source link

Origin header validation #1201

Closed CosminLazar closed 6 months ago

CosminLazar commented 3 years ago

Bug description

When using the developer portal to edit a users name a request is made to the following URL https://apim-bilinfo-prod.management.azure-api.net/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.ApiManagement/service/xxx/users/5ef4736afe762c1cc8a3baa1?appType=developerPortal&api-version=2019-12-01

It seems that the endpoint does not validate the value of the origin header of the request. When the response is returned the value of the access-control-allow-origin header is set to the domain specified in the request.

I don't think this is a security issue per say, because even though any website can make requests to the API, it seems the authentication used does not rely on cookies, so the request will fail to authorize. However, it might be a good idea to validate the value of the origin header using the known list from the Custom domains list (specified in the Deployment + infrastructure section)

Reproduction steps

  1. Run curl -I -H "origin:https://www.random-website.com" "https://apim-bilinfo-prod.management.azure-api.net/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.ApiManagement/service/xxx/users/5ef4736afe762c1cc8a3baa1?appType=developerPortal&api-version=2019-12-01"
  2. Check the value of access-control-allow-origin header, it will be https://www.random-website.com

Expected behavior

Whitelist and validate the values of the Origin header using the values specified in the Custom domains list (specified in the Deployment + infrastructure section).

Is your portal managed or self-hosted?

Managed

API Management service name

apim-bilinfo-prod

Environment

Environment agnostic

mikebudzynski commented 3 years ago

Thanks for bringing this up. API Management doesn't enforce strict CORS policies by design. Is there a reason you need to have CORS enforced on the backend?

CosminLazar commented 3 years ago

We received this through our bug bounty program and thought to share it with you guys. Given that it is not a security issue we have no immediate need to have CORS enforced in the backend.

mrcarlosdev commented 6 months ago

This issue is related to managed developer portal. We advise you to create a Azure support request to get assistance on this issue. Please refer to the below link to create a new Azure support request, Please select Problem Type = "Developer Portal" in the request to route it appropriately.

https://learn.microsoft.com/en-us/azure/azure-portal/supportability/how-to-create-azure-support-request