Json Allowed Hosts Wildcard
Description
Detects insecure wildcard (*) configurations in ASP.NET Core's AllowedHosts setting within appsettings.json files. Using a wildcard allows any host to make requests to the application, which could enable host header attacks and bypass intended access restrictions.
Detection Strategy
• Scans appsettings.json configuration files in ASP.NET Core applications
• Looks for an 'AllowedHosts' configuration key in the JSON structure
• Reports a vulnerability if the AllowedHosts value is set to wildcard '*'
• Skips analysis for files not named appsettings.json
Vulnerable code example
{
"Logging": {
"MinimumLevel": "Debug", // Vulnerable: Debug level exposes sensitive details in production
"LogLevel": {
"Default": "Debug",
"System": "Debug",
"Microsoft": "Debug" // Dangerous: Logs detailed system/framework information
}...✅ Secure code example
{
"Logging": {
"MinimumLevel": "Information", // Secure: Only logs necessary operational info, not debug details
"LogLevel": {
"Default": "Information",
"System": "Warning",
"Microsoft": "Warning" // Secure: Restricts framework logging to warnings only
}...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.