Java Cors Allow All Origins
Description
Detects insecure CORS (Cross-Origin Resource Sharing) configurations in Java applications that allow all origins through wildcards (*) or overly permissive settings. This misconfiguration enables any malicious website to make cross-origin requests to the application, potentially leading to unauthorized data access or actions.
Detection Strategy
• Identifies method calls that set CORS headers or configure CORS policies (e.g. header(), setHeader(), allowedOrigins())
• Checks if these methods are used to set overly permissive origin values like wildcards (*) or allow all origins
• Reviews CORS configuration in both header manipulation and specific CORS configuration methods
• Reports a vulnerability when CORS is configured to accept requests from any origin without proper restrictions
Vulnerable code example
import org.springframework.web.bind.annotation.CrossOrigin;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class VulnerableController {
@CrossOrigin(origins = "*") // Vulnerable: Allows unrestricted access from any origin...✅ Secure code example
import org.springframework.web.bind.annotation.CrossOrigin;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.http.ResponseEntity;
@RestController
public class SecureController {
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.