Does ZAP detect wide open CORS header responses?

[Dave Wichers]

I'm seeing an app respond with this header/value:

Access-Control-Allow-Origin: *

But I'm not seeing an alert in ZAP indicating this is a potential issue.

Is there any feature/plugin for detecting bad/dangerous CORS responses like this?

I'm using ZAP weekly release D-2017-07-04 (which I think is July 4), so it's a pretty new version.

Thanks, Dave

[thc...@gmail.com]

Hi.

There's a scanner for that:
https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesAlphaPscanalpha#cross-domain-misconfiguration

bundled in the Passive scanner rules (alpha) add-on, which is not
included by default in the weekly releases.

Best regards.

[Dave Wichers]

This seems like an important security area. How hard would it be to get this plugin out of Alpha so it IS included with ZAP by default?

[Simon Bennetts]

It would need some unit tests implemented.
We actually use all of the alpha rules for the Mozilla Cloud Services baseline scan, and we've had no problem with this one.
I'd definitely support its promotion, once the tests were written.
I'll add them to my list, but it anyone else can look at them sooner then that would be great :)

Cheers,

Simon

[Dave Wichers]

I'm actually seeing this as a Beta rule that is on by default in the weekly release (which I'm using) when I go into the Scan Policy manager. It's under Server Security. So looks like its Beta now, and included by default (so should be in 2.7.0 when it is released).

So my question now is, why didn't this rule fire on responses that contain the HTTP response header:  Access-Control-Allow-Origin: * 

Is there some combination of response headers where this header values, plus others, is actually considered OK?

-Dave

[thc...@gmail.com]

Hi.

That's another scanner, an active one, it checks different things:
https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta#cross-domain-misconfiguration

Best regards.

[Dave Wichers]

I notice that a number of beta and alpha passive rules ARE included with the weekly release. Why those and not all the others? Just wondering.

Any chance we can get the CORS Misconfiguration and Strict Transport passive rules included in the weekly release at least? I'd love to see both of them included in ZAP by default as soon as we can make that happen. Lots of people are using Strict Transport now, so we should report about that too.

-Dave

[Simon Bennetts]

Whether or not to include add-ons in the weekly release is a judgement call, and its not a very formal one ;)
We typically include add-ons that we think are:

• Ready for wider adoption
• We'd like more exposure for

At the moment we include the release and beta quality rules and selected release, beta and alpha addons.

For reference the relevant configs are:

• Release: https://github.com/zaproxy/zap-extensions/blob/master/build/build.xml#L601-L620
• Beta: https://github.com/zaproxy/zap-extensions/blob/beta/build/build.xml#L727-L747
• Alpha: https://github.com/zaproxy/zap-extensions/blob/alpha/build/build.xml#L799-L812
  

I'd actually be fine including the alpha active and passive rules as well, as I've mentioned before we use the alpha passive scan rules in our daily baseline scan at Mozilla. The baseline scan has a -a option which makes this particularly easy: https://github.com/zaproxy/zaproxy/wiki/ZAP-Baseline-Scan#usage

Thoughts and feedback from anyone appreciated!

Simon

[kingthorin+owaspzap]

I'll vote for including alpha active and passive too

[Stephen S]

I've followed the instructions in this thread and installed both addons. Looking at the "Default Policy" in "Scan Policy Manager" the "Cross-Domain Misconfiguration" rule is displayed. When I run an active scan I receive a page that contains the "Access-Control-Allow-Origin: *" response header, however no alert is shown. Is there further configuration required to detect this? I'm running ZAP 2.6.0

[kingthorin+owaspzap]

The result you want is part of the passive scan rules. The messages sent/received by the active scanner are not processed by the passive scanner (IIRC, for performance reasons).

So you'd have to proxy or spider (traditional or ajax) the page in question.

[Stephen S]

Thanks, I've tried a spider and a proxy using Firefox but no alert is being triggered. My current setup is:

ZAP 2.6.0 

Add-Ons:

ascanrulesAlpha-alpha-19.zap

ascanrulesBeta-beta-21.zap

pscanrulesBeta-beta-16.zap

I'm receiving a response with the following headers:

HTTP/1.1 403 Forbidden

X-Content-Type-Options: nosniff

X-XSS-Protection: 1

x-frame-options: SAMEORIGIN

Strict-Transport-Security: max-age=31536000; includeSubdomains; preload

Access-Control-Allow-Origin: *

Access-Control-Allow-Credentials: true

Vary: X-HTTP-Method-Override

Content-Type: text/html; charset=utf-8

Content-Length: 4836

Date: Mon, 11 Sep 2017 09:34:25 GMT

Connection: keep-alive

Should I expect the "Cross-Domain Misconfiguration" rule to be triggered for this response? 

I also noticed that under Tools > Options > Passive Scan Rules there is no mention of "Cross-Domain Misconfiguration", however it is visible in Scan Policy Manager.

[thc...@gmail.com]

Is pscanrulesAlpha installed too? That's the add-on that includes the
"Cross Domain Misconfiguration" passive scanner.

Best regards.