Cross-Domain Misconfiguration alerts rised as of version 2.9

55 views

Skip to first unread message

Xinlei Zhong

unread,

Jan 30, 2021, 11:00:43 PM1/30/21

to OWASP ZAP User Group

Hi there:)

First lease allow me to thank you for providing the reviouse version of ZAP before.

I tried to scan my endpoints with ZAP 2.5 to ZAP 2.10, and I noticed that as of ZAP 2.9 there is a alert called Cross-Domain Misconfiguration(WASC_ID 14) comes up. my server's response headers is as follow:

HTTP/1.1 201 Created

Date: Thu, 28 Jan 2021 06:18:34 GMT

Location: http://ip:port/endpoint

X-Server-Millis: 1611839902310

Access-Control-Allow-Origin: *

Access-Control-Allow-Headers: origin, content-type, accept, authorization

Access-Control-Allow-Credentials: true

Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS, HEAD

Server: Jetty(9.4.33.v20201020)

X-Cache: MISS from proxyserver02

X-Cache-Lookup: MISS from proxyserver02:8080

Via: 1.1 proxyserver02 (squid/3.5.27)

X-RBT-CLI: Name=cnrvsha01; Ver=9.10.0a;

Connection: keep-alive

Content-Length: 0

so my question is: what makes the alert started to be generated and shall I pay attention to this and try to get rid of the alert?

Thanks

kingthorin+owaspzap

unread,

Jan 31, 2021, 4:05:40 PM1/31/21

to OWASP ZAP User Group

You should read the alert details, to have a better understanding of the issue.

Access-Control-Allow-Origin: *

Is likely the issue.

Reply all

Reply to author

Forward

0 new messages