Permissive Cross-domain Policy with Untrusted Domains
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-942: Permissive Cross-domain Policy with Untrusted Domains |
| OWASP | A05:2021 - Security Misconfiguration |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
The Function App is configured to allow CORS requests from any origin (’*’), which means any website can interact with your app’s APIs. This overly permissive setting exposes your application to unauthorized cross-origin access.
Impact#
Attackers could exploit this by making malicious requests from untrusted websites, potentially stealing sensitive data or abusing your APIs. This increases the risk of data leakage, account compromise, and other attacks via unauthorized cross-origin interactions.