Disable DAST Check 40040-2 (CORs Misconfiguration) due to FP
Problem
The Zap check 40040-2 CORs Misconfiguration incorrectly flags Access-Control-Allow-Origin: *
as a vulnerability. This is not a vulnerability as allowing all origins to access is OK as no cookie credentials will be sent.
Example
The JuiceShop demo project exhibits this behavior.
Solution
If possible, disable 40040-2 only. If not possible the entire 40040 check must be disabled. Disable 40040-2 in the exclude_rules.yml.
- rule_id: 40040-2
name: CORs Misconfiguration
link: https://www.zaproxy.org/docs/alerts/40040-2/
If disabling is not possible, then 40040 should be aggregated by being added to the alerts.py aggregated list.
Edited by Isaac Dawson