Doccumentation on findings of CORS misconfiguration

[ibi420]

Description

This pull request adds documentation verifying the CORS configuration of the OnTrack production web application (https://ontrack.deakin.edu.au). It addresses a previously reported vulnerability in the development environment (http://172.18.0.1:4200) where the server responded with Access-Control-Allow-Origin: *.

The report includes:

• Reproduction of the issue using curl with custom Origin headers
• Confirmation that the production environment is not vulnerable to CORS misconfiguration
• A comparative analysis between production and internal environments
• Security recommendations to prevent similar issues in other deployments

Fixes # (issue)

Type of change

Please delete options that are not relevant.

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation (update or new)

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration

• Used curl.exe -I https://ontrack.deakin.edu.au to inspect default headers
• Used curl.exe -H "Origin: https://evil.com" -I https://ontrack.deakin.edu.au to simulate a malicious cross-origin request
• Verified that the server did not return Access-Control-Allow-Origin or allow credentialed requests

Testing Checklist

• Tested using curl in Windows PowerShell and Git Bash
• Confirmed secure behavior in production
• Compared findings with previous report on the dev environment

Checklist

• I have made corresponding changes to the documentation
• My changes generate no new warnings

[netlify]

✅ Deploy Preview for ontrackdocumentation ready!

Name	Link
🔨 Latest commit	12c9050
🔍 Latest deploy log	https://app.netlify.com/projects/ontrackdocumentation/deploys/682ad90f295ac30008619421
😎 Deploy Preview	https://deploy-preview-41--ontrackdocumentation.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[returnMarcco]

Hi @ibi420,

Great work on the documentation. I've completed my review and these are my findings:

• Grammar is correct
• Wording is appropriate for a technical document
• General formatting and structure is satisfactory
• Documentation purpose is clear
• Context is provided
• Test methods and tooling have been clearly described
• Findings have been clearly listed, with conclusions listed
• Recommended actions have been provided
• Summary has been provided

Overall, great job. I was able to understand the purpose of the document, the context which sparked the creation of the document, test methods and tooling used, and outcomes of all tests performed.

The list of recommended actions seems plausible, although I don't come from a background of Cybersecurity, I was able conduct quick research to learn more about Cross Origin Resource Sharing, and how it can be mitigated. Your suggestion of avoiding Wildcard Origins is something I came across in my research. Your suggestion of Security Awareness also makes total sense, as education can often be key to spotting and fixing vulnerabilites like this.

Your reference list also lists reputable sources of information.

All in all, good job. Approved.

[theiris6]

Hi @ibi420
Thanks for your submission. I’ve reviewed the documentation and found it to be clear, well-structured, and technically appropriate.
The purpose and context are well explained, and the testing steps—particularly the use of curl to simulate malicious requests—are practical and easy to follow. Your comparison between production and development environments is helpful, and the recommendations are relevant and actionable.
The document meets all expectations, including clarity, relevance, and completeness.
Approved.

[atharv02-git]

Hey @ibi420, I just went through your work; great job on documenting everything so clearly. Here’s what I found from my end:

1. I first ran the OnTrack environment in development mode and, as expected, I saw the header Access-Control-Allow-Origin: * in the response confirming the CORS misconfiguration you referenced from the earlier report.
   

2. I then followed your structure and used:
   curl -I https://ontrack.deakin.edu.au and curl -H "Origin: https://evil.com" -I https://ontrack.deakin.edu.au In both cases, I did not see the Access-Control-Allow-Origin: * header confirming the production environment is secured against this vulnerability.
   

3. However, I was curious if ontrack.deakin.edu.au is truly equivalent to the local production environment. So, I restarted OnTrack in production mode (using the production flag inside package.json)
   (Go to Package.json > and set line14 to: "build:angular17": "ng build --configuration production", and start your environment using npm start as regular)
   
   and the I re-ran the same two curl commands but but I still received: Access-Control-Allow-Origin: *
   

This made me wonder is our local 8.0.x "production mode" setup truly aligned with what's deployed at ontrack.deakin.edu.au? If so, this might not be a false positive after all but a real CORS misconfiguration in our production-ready build.

That said, your documentation was super clear and really helped me understand both the root cause of the issue and how the exploit works in practice. It was easy to follow, and your methodology was spot on. Appreciate the work you’ve put in nicely done! 🫡

The only recommendation here is please try to rerun the localhost environment but using production flag, and use the curl command again and check the result.