Enhance CORS testing guide (Testing Cross Origin Resource Sharing)

[jeremychoi]

What's the issue?
Describe the problem and why it should be fixed. Be concise and specific. Reference sections where appropriate.

The current CORS (4-Web_Application_Security_Testing/11-Client-side_Testing/07-Testing_Cross_Origin_Resource_Sharing.md)

• shows the examples from the 'client-side' code point of view only, although CORS is the concept that should be focused on the server-side configuration too.
• The current location of the CORS guide, Client-side_Testing, doesn't fit completely. (I suggest it be under Configuration_and_Deployment_Management_Testing)
• Access-Control-Allow-Credentials section needs more details
• no References section exist

How do we solve it?
Clearly describe the solution you'd like to see implemented.

I suggest a few points:

• add a few more examples to focus on server misconfiguration
• add more details for Access-Control-Allow-Credentials
• add References section
• suggest moving it to the different section

PR will follow soon.

IMO the location of the CORS guide should be moved to under Configuration_and_Deployment_Management_Testing. FWIW, ASVS has a CORS item under V14 Configuration Verification Requirements.

Would you like to be assigned to this issue?
Check the box if you will submit a PR to fix this issue. Please read CONTRIBUTING.md.

• Assign me, please!

[ThunderSon]

@jeremychoi Thanks for opening this issue! It's true as you say.
I highly believe that chapter 11, Client Side testing, requires a whole update.
I don't see it as a client side testing condition. I highly see it as a server config test, and it can be linked to a client side attack where CORS is highly permissive that it allows client-side attacks.

Would you want me to review #657 and then have another PR to tackle this separation of concerns? Let me know what best suits your ideas and contributions :)

[jeremychoi]

@ThunderSon Sure. please go ahead as you like :)