Scala Cors Wildcard Origin Header
Description
Detects insecure Cross-Origin Resource Sharing (CORS) configurations in Scala Play applications that use wildcard origins (*) in CORS headers. Using wildcard origins allows any domain to access resources, potentially exposing sensitive data to malicious websites through cross-origin requests.
Detection Strategy
• Identifies uses of the 'withHeaders' method in Scala Play code
• Examines the header arguments passed to withHeaders to find CORS-related headers (Access-Control-Allow-Origin)
• Reports a vulnerability if the header value is set to '*' (wildcard) which allows unrestricted cross-origin access
• Focuses on header configurations in HTTP response builders and CORS filter configurations
Vulnerable code example
import play.api.mvc._
def insecureEndpoint = Action {
Ok("Hello")
.withHeaders(
"Access-Control-Allow-Origin" -> "*" // Vulnerable: allows access from any origin
)
}✅ Secure code example
import play.api.mvc._
def secureEndpoint = Action { request =>
// Define specific trusted origin instead of wildcard
val trustedOrigin = "https://trusted.example.com"
Ok("Hello")
.withHeaders(...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.