Binara-Prabhanga / AcademyNet

0 stars 0 forks source link

Cross-Domain Misconfiguration (CORS) allows access to unauthenticated APIs #26

Closed poorna-theekshana closed 1 month ago

poorna-theekshana commented 1 month ago

The web application is vulnerable to CORS misconfiguration, which allows arbitrary third-party domains to make read requests on unauthenticated APIs. This misconfiguration is due to the Access-Control-Allow-Origin: * header that permits all origins. While web browsers restrict access to authenticated responses, this could allow attackers to access sensitive data in scenarios where other forms of security, such as IP address whitelisting, are used.