Scala Header Insecure Cors Configuration
Description
This detector identifies insecure CORS (Cross-Origin Resource Sharing) configurations in Scala web applications that use overly permissive origin settings. Misconfigured CORS policies can allow malicious websites to make unauthorized requests to the application, potentially leading to data theft, CSRF attacks, or other security breaches.
Detection Strategy
• The code must import Jakarta or Java servlet HTTP libraries (jakarta.servlet.http.* or javax.servlet.http.*)
• A method call must be made to a suspicious CORS-related method on an HttpServletResponse object
• The method call must contain unsafe CORS origin arguments (likely wildcard '*' or overly broad origin patterns)
• The detector specifically looks for CORS header configuration methods that accept dangerous origin values that could compromise the same-origin policy
Vulnerable code example
import javax.servlet.http.HttpServlet
import javax.servlet.http.HttpServletRequest
import javax.servlet.http.HttpServletResponse
class VulnerableCorsServlet extends HttpServlet {
// VULNERABLE: Wildcard allows any origin to access sensitive data
override def doGet(req: HttpServletRequest, resp: HttpServletResponse): Unit = {...✅ Secure code example
import javax.servlet.http.HttpServlet
import javax.servlet.http.HttpServletRequest
import javax.servlet.http.HttpServletResponse
class SecureCorsServlet extends HttpServlet {
private val allowedOrigins = Set(
"https://my-safe-frontend.com",...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.