SoFunction
Updated on 2025-03-04

Implementation method of Nginx to fix CORS vulnerabilities

Vulnerability description

CORS unsafe configuration vulnerability refers to the damage caused by improper configuration of the resource server's response header Access-Control-Allow-Origin, which should have been restricted, during cross-domain resource sharing, the requesting website that should be restricted can bypass access control policies to read the data of the resource server, causing user privacy leakage, information theft and even account hijacking.

Vulnerability details

After scanning and testing of the following targets: /external/

The vulnerability was found.

DiscoverAccess-Control-Allow-OriginThe value of  is .

The request flow of the vulnerability detection process is
The first request is

GET /external/ HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en
Origin: .
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip

The first response is

HTTP/1.1 401 
Access-Control-Allow-Methods: GET,POST,OPTIONS,PUT,DELETE
Access-Control-Allow-Origin: .
Connection: keep-alive
Content-Length: 0
Date: Mon, 13 Nov 2023 02:07:00 GMT
Www-Authenticate: BASIC realm="application"

Vulnerability fix

        set $flag 0;

        if ($http_origin = ''){
            set $flag "${flag}1";
        }

        if ($http_origin !~* ^(http|https)://test\.test\.com$){
            set $flag "${flag}1";
        }

        if ($flag = "01"){
            return 403;
        }

        if ($http_origin ~* ^(http|https)://test\.test\.com$) {
            add_header Access-Control-Allow-Origin $http_origin;
            add_header Access-Control-Allow-Methods GET,POST;
            add_header Access-Control-Allow-Credentials true;
            add_header Access-Control-Allow-Headers DNT,Keep-Alive,User-Agent,If-Modified-Since,Cache-Control,Content-Type;
}

The specific configuration is as follows:

  server {
        listen 80;
        server_name ;

        location / {
            set $flag 0;
    
            if ($http_origin = ''){
                set $flag "${flag}1";
            }
    
            if ($http_origin !~* ^(http|https)://test\.test\.com$){
                set $flag "${flag}1";
            }
    
            if ($flag = "01"){
                return 403;
            }
    
            if ($http_origin ~* ^(http|https)://test\.test\.com$) {
                add_header Access-Control-Allow-Origin $http_origin;
                add_header Access-Control-Allow-Methods GET,POST;
                add_header Access-Control-Allow-Credentials true;
                add_header Access-Control-Allow-Headers DNT,Keep-Alive,User-Agent,If-Modified-Since,Cache-Control,Content-Type;
    				}
        
            #Change IP and port to the access address and port of the DataEase server            proxy_pass   http://192.168.110.251:81/;
            server_name_in_redirect off;

            # websocket proxy            proxy_http_version      1.1;
            proxy_set_header        Upgrade         $http_upgrade;
            proxy_set_header        Connection "upgrade";

            proxy_set_header           Host $host:$server_port;
            proxy_set_header           X-Real-IP $remote_addr;
            proxy_set_header           X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header           X-Forwarded-Proto $scheme;

           
        }
  }

This is the article about the implementation method of Nginx to fix CORS vulnerabilities. For more information about Nginx to fix CORS vulnerabilities, please search for my previous articles or continue browsing the related articles below. I hope everyone will support me in the future!