Kotlin Insecure Cors Origin Servlet
Description
Detects insecure CORS (Cross-Origin Resource Sharing) configurations in Kotlin servlet applications where the Access-Control-Allow-Origin header is set with unsafe values. This vulnerability could allow unauthorized websites to make requests to the application, potentially leading to cross-site attacks.
Detection Strategy
• Application uses Jakarta or javax servlet libraries
• Code sets the 'Access-Control-Allow-Origin' header on an HttpServletResponse object
• The origin value is potentially unsafe (e.g., wildcard '*', dynamic/user-controlled values)
• The header value is not properly sanitized or validated before being set
Vulnerable code example
import jakarta.servlet.http.HttpServlet
import jakarta.servlet.http.HttpServletRequest
import jakarta.servlet.http.HttpServletResponse
class UnsafeCorsServlet : HttpServlet() {
override fun doGet(request: HttpServletRequest, response: HttpServletResponse) {
// VULNERABLE: Allows any domain to access this resource
response.setHeader("Access-Control-Allow-Origin", "*")...✅ Secure code example
import jakarta.servlet.http.HttpServlet
import jakarta.servlet.http.HttpServletRequest
import jakarta.servlet.http.HttpServletResponse
class SafeCorsServlet : HttpServlet() {
companion object {
// Whitelist of allowed origins instead of allowing all domains
private val ALLOWED_ORIGINS = setOf(...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.