SECURITY FIX: CORS Misconfiguration on workflow.aixblock.io

[grich88]

Fixes: #311

Security Fix: CORS Misconfiguration

Problem: The /api/v1/flags endpoint has a dangerous CORS configuration that allows requests from any origin (*) while also setting Access-Control-Allow-Credentials: true. This combination enables cross-origin attacks, credential theft, and data exfiltration.

Solution:

• Replace wildcard origin (*) with specific domain validation
• Allow only trusted AIxBlock domains
• Maintain credentials support for legitimate requests
• Prevent cross-origin attacks from malicious websites

Changes:

• Updated CORS configuration in server.ts
• Added origin validation function
• Restricted to specific AIxBlock domains only
• Maintained backward compatibility for legitimate requests

Security Impact: Prevents CSRF attacks, credential theft, and unauthorized cross-origin access while maintaining functionality for legitimate AIxBlock applications.

[grich88]

Closing: Insufficient Proof - Stored for Future Research

After comprehensive testing and applying bug bounty excellence standards, this issue is being closed due to insufficient proof of actual exploitation.

What We Found:

• CORS misconfiguration identified (Access-Control-Allow-Origin: * with credentials)
• Violates CORS specification (RFC 7234)
• Endpoint returns 404 - no actual data exposed
• No authenticated endpoints found that return data

Why Closing:

• No actual data exfiltration demonstrated
• CORS misconfiguration on non-functional endpoint has minimal impact
• Current proof is insufficient for bug bounty submission

Stored for Future Research:

This issue has been documented for future research when:

• Valid user accounts become available
• Working authenticated endpoints are discovered
• Additional testing time is available

Status: Closed - Insufficient Proof (Stored for Future Research)

Thank you for the opportunity to test the platform.