So I’m performing a penetration test and I’m 99% I found a FP, but want to bounce it off someone else who might be able to reaffirm what I’m seeing. All API endpoints authenticate using Basic Auth. Credentials are not cached from visiting the API directly(no prompt). I don’t see how anyone could exploit this since essentially if you attempt to cross origins, you get a API key missing due to no cookie being used.
Request Mockup
GET /v0/somethingcool HTTP/1.1
Host: api.myapp.com
Origin: https://gduzjbwdzbcz.com
Authorization: Basic BASICAUTHINFO
Response Mockup
HTTP/1.1 202 Accepted
access-control-allow-credentials: true
access-control-allow-headers: *, Content-Type, Accept, AUTHORIZATION, Cache-Control
access-control-allow-methods: POST, GET, OPTIONS
access-control-allow-origin: https://gduzjbwdzbcz.com
access-control-expose-headers: Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, Pragma
access-control-max-age: 1728000
content-type: application/json
{API DATA}