Why CORS is still securing an open api where all requests have a wildcard (*)?

In case of an open API, the only possible value for Access-Control-Allow-Origin is a wildcard (*), since you can’t have a list of allowed domains.

Still, this seems not to bug developpers and appears to keep the system secure. How is that possible? Isn’t allowing all domains to make every request the same as not having SOP or CORS Policy?

It might be that I don’t really get the security provided by CORS, but as I understood it, it avoid an unwanted domain to use session cookies of a user without his consent. Still, I don’t get why it protect the user to see his account used for unwanted purposes once a data modifying route is opened to this domain.

can I use a wildcard in a datasheet view custom filter to NOT show titles that begin with certain words?

I have a calendar list view and want to be able to filter on the title to NOT show items that begin with the word Deleted.

Can you use a wildcard at the end of Deleted to grab all titles that begin with deleted?

Example Does Not equal Deleted*

Thanks, Rhonda

udisksctl unmount with wildcard possible?

I use Ubuntu bionic. Is it possible to umount with udisksctl unmount with wildcards? Short story, when I plug in my backupdrive a user systemd.service start my backskript. when the backup is ready I have to unmount every patition with udisksctl unmount -b /dev/sdc1 and so on. I can nothing find in the manpages. I want to create on desktop a starter to umount all partition of my backudrive at once.

Creating a PFX File for Wildcard SSL Certificate

I am trying to install a Wildcard SSL Certificate in IIS on Windows Server. It only accepts the .pfx file format for importing & installing an SSL certificate for hosted applications. I got the .csr file from CA as it was a wildcard cert.

I downloaded and installed OpenSSL for Windows (Latest version).

I placed the .crt file & .key file into C:\Program Files\OpenSSL-Win64\bin.

Then I ran this command to generate a random file:

set RANDFILE=C:\Program Files\OpenSSL-Win64\bin\<RANDOMFILENAME>.rnd 

Then I ran this command to give a path of config file:

set OPENSSL_CONF=C:\OpenSSL-Win64\bin\openssl.cfg 

Finally, I ran this command

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt 

The result of this was:

unable to load private key 140406554043456:error:0909006C:PEM routines: get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY 

I want to know if I’m making any mistake in the steps that I followed. I also want to know the reason of this error. I have the copy of private key & .crt file

Following are some more inputs which will make my question more specific.

  1. I have the copy of generated-private-key.key file & .crt file. I changed the file names before executing the OpenSSL command. I even created the random file & config file.

  2. The SSL certificate that I got from CA is a wildcard certificate, which I used to install on multiple subdomains of a customer. It was successful. Now while creating the .pfx file once again, I’m facing this problem.

  3. A .pfx file should be created only on the server which was used to create .csr file. In our case, we got the .csr file from CA as it was a wildcard certificate.

(Thanks in advance. Any help is appreciated)

Creating a PFX File for Wildcard SSL Certificate

I am trying to install a Wildcard SSL Certificate in IIS on Windows Server. It only accepts the .pfx file format for importing & installing an SSL certificate for hosted applications. I got the .csr file from CA as it was a wildcard cert.

I downloaded and installed OpenSSL for Windows (Latest version).

I placed the .crt file & .key file into C:\Program Files\OpenSSL-Win64\bin.

Then I ran this command to generate a random file:

set RANDFILE=C:\Program Files\OpenSSL-Win64\bin\<RANDOMFILENAME>.rnd 

Then I ran this command to give a path of config file:

set OPENSSL_CONF=C:\OpenSSL-Win64\bin\openssl.cfg 

Finally, I ran this command

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt 

The result of this was:

unable to load private key 140406554043456:error:0909006C:PEM routines: get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY 

I want to know if I’m making any mistake in the steps that I followed. I also want to know the reason of this error. I have the copy of private key & .crt file

Following are some more inputs which will make my question more specific.

  1. I have the copy of generated-private-key.key file & .crt file. I changed the file names before executing the OpenSSL command. I even created the random file & config file.

  2. The SSL certificate that I got from CA is a wildcard certificate, which I used to install on multiple subdomains of a customer. It was successful. Now while creating the .pfx file once again, I’m facing this problem.

  3. A .pfx file should be created only on the server which was used to create .csr file. In our case, we got the .csr file from CA as it was a wildcard certificate.

(Thanks in advance. Any help is appreciated)

Wildcard Query for SharePoint Rest API

I tried using this example as search parameter “Share*” but the result return nothing.

            KeywordQuery keywordQuery = new KeywordQuery(clientContext);              keywordQuery.QueryText = SearchParameter;              keywordQuery.EnablePhonetic = true;                keywordQuery.EnableOrderingHitHighlightedProperty = true;             //keywordQuery.SummaryLength = 500;               SearchExecutor searchExecutor = new SearchExecutor(clientContext);              ClientResult<ResultTableCollection> results = searchExecutor.ExecuteQuery(keywordQuery);              clientContext.ExecuteQuery(); 

Exploitability of allowed wildcard (*) CORS Origins with Bearer Token Authorization

I’m looking at the following setup. A web application uses a REST API to communicate with the server. All API responses include Origin: *. For authorization Authorization: Bearer <token> is used. Access-Control-Allow-Headers: Authorization is also included for appropriate preflight requests.

As Origin: * is configured, modern browsers will not send authorization data, such as the bearer token.

This makes it impossible to use API requests across domains, which require authorization (https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Requests_with_credentials).

I’m struggling to justify, why this should be considered a vulnerability. It is bad practice to allow any origin. It could lead to data leakage, but not in this scenario.

Could this be exploited in another way, I’m not seeing right now, or is this in fact just bad practice and does not pose an actual threat?

wildcard dns not working properly

I initially added a wildcard subdomain as below on my cpanel account and it works fine (all level of subdomain works):

  1. *.example.com

but when I add following second wildcard subdomain to explicitly install ssl for that:

  1. *.co.uk.example.com

any domain ending with .uk.example.com no longer work (e.g. uk.example.com or test.net.uk.example.com … etc)

is there anything wrong with dns server bind or is this by design?