Mitigating OWASP API Security Risk: Security Misconfiguration using F5 XC Platform

Overview

This article is a continuation of the series of articles on OWASP API Security vulnerabilities and demonstrates a scenario for mitigating API Security Misconfiguration using F5 Distributed Cloud(XC) Platform 

See F5 Distributed Cloud API Security dynamically discover and automatically protect API endpoints.

Introduction to OWASP API Security Misconfiguration

APIs are the backbone of the modern application development model and because of their heavy usage they often become victim of attacks. Sometimes these vulnerabilities arise if security best practices are missed and are not followed properly in application development life cycle. 

Below are a few scenarios which fall under API Security Misconfiguration category: 

  • Latest security patches are not applied.
  • Unnecessary HTTP verbs are enabled exposing APIs to get accessed by them.
  • Improper implementation of CORS policy.
  • Missing repeatable security hardening process.
  • Exposing detailed stack trace error messages or sensitive information.

Problem Statement

Improperly configured CORS policies can expose web applications to vulnerabilities, allowing malicious actors to perform unauthorized actions or access sensitive data. This poses significant risks to user privacy, application integrity, and organizational security.

In the demonstration below we will cover a scenario where the application is vulnerable to CORS and will see how F5 Distributed Cloud WAAP can help in identifying and mitigating such threats.

What is Cross-Origin Resource Sharing (CORS) ? 

CORS is a security feature implemented by browsers to allow or block web applications from making requests to domains other than their own. This mechanism helps prevent certain types of attacks, by ensuring that only authorized domains can access certain resources. CORS occurs only when the target server(cross-origin) is accessed from other domains and sub-domains. CORS works by specific HTTP/S headers that allow a server to explicitly specify which origins are allowed to access its resources and which methods and headers can be used.

Preflight Request: When making cross-origin requests that are complex (i.e., requests that use non-simple  methods, custom headers, or credentials), the browser sends an OPTIONS request before the actual request which is called the preflight request. The preflight request is used to check if the server will allow the actual request. Specifically, a preflight request occurs when a web page makes a cross-origin HTTP request that does not meet the simple request criteria defined by the CORS specification.

    Consider the scenario below, where authentication request in the origin server is handled by some third-party cross-origin server. If the cross-origin server is not configured to block untrusted origins based on domain, methods and headers, attacker can take advantage of this vulnerability by performing harmful action using methods and headers in requests.

Fig 1 - Misconfigured cross-origin web server allowing all requests
  1. Users access the origin web server through web browser and enters the credentials for authentication. Authentication request will be transferred to cross-origin web server for authentication.
  2. Authentication request from origin contains non-simple header (X-Custom-Header), as per CORS specification browser sends a Preflight Request to cross-origin, with all the details of actual request.
  3. Cross-Origin responds back with Preflight Response where it’s allowing all the requests.
  4. Browser checks the preflight response and since all the requests are allowed, actual request containing the payload is sent to the cross-origin.
  5. Cross-Origin responds back with the authentication token.

In this scenario, since all the origins, methods and custom headers are allowed by cross-origin, the attacker can craft a malicious request to modify or delete the content in cross-origin server from any origin server. 

Prevention using F5 XC:

From the suite of security solutions offered by F5 Distributed Cloud(XC) WAAP, here we have chosen to create an ‘CORS Policy’ to allow only authorized requests.

Pre-requisites:

  1. Create a Load Balancer in F5 XC and point the LB to the vulnerable web server by adding the server details in origin pool. For LB configuration steps, please follow the steps here.
  2. Configure CORS policy under “Common Security Controls” in LB to allow only authorized requests. For CORS configuration steps, please follow the steps here.

*Allow Origin and Allow Origin Regex fields in F5 XC CORS configuration will be used to verify the Origins for CORS. Origins/Domains not listed won’t be blocked and continue to work normally.

Note – Chrome browser is used throughout this demo

Fig 2 - Misconfigured cross-origin web server behind F5 XC which has CORS policy configured

The malicious activity which can be performed in the scenario discussed earlier can be mitigated by having the vulnerable cross-origin web server behind F5 XC . In F5 XC load balancer a CORS feature security policy must be configured to check origin, methods and customer headers based on security requirement.

  1. Users access the origin web server through web browser and enters the credentials for authentication. Authentication request will be transferred to cross-origin web server for authentication.Fig 2.1 - User payload for authentication
  2. Authentication request from origin contains non-simple header (X-Custom-Header), as per CORS specification browser sends a Preflight Request to cross-origin, with all the details of actual request.

    Fig 2.2 - Preflight request

    Highlighted sections will be part of Preflight Request sent to the cross-origin (target server) from the web browser. These values are extracted from the request made by the user.

  3. Since cross-origin is protected by F5 XC in this scenario, F5 XC responds with Preflight Response.

    Fig 2.3 - Preflight response

    As per our architecture shown in Fig 2, cross-origin (target server) is behind F5 XC which has a CORS policy configured. The highlighted section shows the Preflight Response sent from the F5 XC to the web browser based on the CORS configuration defined in F5 XC.

  4. The browser checks the preflight response sent from the F5 XC where all the non-simple methods and custom headers are blocked, web browser verifies this and drops the actual request.

    Fig 2.4 - Actual request blocked due to CORS

Fig 2.5 - Preflight options call captured in F5 XC

In the above screenshot, Preflight (OPTIONS) request made to load balancer (having target server) can be observed. The subsequent actual request is not present which is blocked by the browser based on CORS configuration.

Conclusion

In conclusion, ensuring that web applications are safeguarded against CORS vulnerabilities is not just a technical necessity—it's a critical step in protecting users and business. By using F5 XC WAAP solution, proactive control can be taken over security environment, preventing unauthorized cross-origin requests and safeguarding sensitive data from malicious actors.

Further Reading

  1. Official W3C CORS specification
  2. CORS Reference
  3. OWASP API Security Project
  4. OWASP API7:2019 Security Misconfiguration 
  5. F5 Distributed Cloud Services 
  6. F5 Distributed Cloud WAAP
  7. Overview of OWASP API Security Top 10 2019
Updated Feb 12, 2025
Version 7.0
apisecurity
cloud
F5 Distributed Cloud
F5 Distributed Cloud WAAP
OWASP-API-Security
security
series-f5-distributed-cloud
Verified Designs
  • Janibasha's avatar
    Janibasha
    Icon for Employee rankEmployee
    Feb 13, 2025

    Amazing article covering the CORS feature covering from nuances to mitigation.