I'm testing a web application and burp detected this issue: Cross-origin resource sharing: arbitrary origin trusted
Looking at the response, I only see this header: Access-Control-Allow-Origin: https://www.evil.com
Considering the lack of this header set to true in the response: *Access-Control-Allow-Credentials: true * can I consider this vulnerability a false positive?
Thanks a lot!
Burp is Very Concerned about CORS for some reason. Non-credentialed CORS requests can be a vulnerability, but only if the server (or endpoint) authorization is based on something other than credentials/authentication, and specifically is based on request source. For everything else, it's a non-issue; any attacker could just directly make the request themselves. Burp will consider it to always be a high-confidence high-severity vuln, though.
In other words, if an endpoint is only available via local or loopback connections, or only available to specific IPs, then un-authenticated CORS might be a risk. In all other cases - which cover the vast majority of situations - it's not. In theory, Burp could test this directly by checking the endpoint from a collaborator server or similar (and compare that to what it gets from the proxy), but this doesn't seem to be a feature it has.
With that said, if you're going to allow arbitrary origins, and are not going to allow credentials, that's exactly the use for Access-Control-Allow-Origin: *. Just be warned that Burp will freak out about that too.
