Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 81129e9

Browse files
kingthorinkingthorin
authored
Merge pull request #3066 from securestep9/securestep9-fix-6731
Fix 6731 - replaced dead CORS misconfiguration reference URL
2 parents 444f5f7 + 54c8898 commit 81129e9

File tree

2 files changed

+3
-2
lines changed

2 files changed

+3
-2
lines changed

addOns/pscanrules/CHANGELOG.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,8 @@ All notable changes to this add-on will be documented in this file.
44
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
55

66
## Unreleased
7-
7+
### Fixed
8+
- Fixed reference URL on CORS misconfiguration.
89

910
## [35] - 2021-07-06
1011
### Changed

addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages.properties

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -39,7 +39,7 @@ pscanrules.cookiesamesite.refs=https://tools.ietf.org/html/draft-ietf-httpbis-co
3939
pscanrules.crossdomain.name=Cross-Domain Misconfiguration
4040
pscanrules.crossdomain.desc=Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server
4141
pscanrules.crossdomain.soln=Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).\nConfigure the "Access-Control-Allow-Origin" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.
42-
pscanrules.crossdomain.refs=http://www.hpenterprisesecurity.com/vulncat/en/vulncat/vb/html5_overly_permissive_cors_policy.html
42+
pscanrules.crossdomain.refs=https://vulncat.fortify.com/en/detail?id=desc.config.dotnet.html5_overly_permissive_cors_policy
4343
pscanrules.crossdomain.extrainfo=The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.
4444

4545
pscanrules.cookielooselyscoped.name=Loosely Scoped Cookie

0 commit comments

Comments
 (0)