Java Cors Wildcard Origin
Description
Detects insecure CORS configurations in Spring applications where wildcard (*) is used to allow all origins. This misconfiguration permits cross-origin requests from any domain, potentially exposing sensitive data and functionality to malicious websites.
Detection Strategy
• Scan Java properties files for CORS configuration parameters
• Check if any of these properties are set: 'management.cors.allowed-origins', 'spring.webflux.cors.allowed-origins', or 'spring.data.rest.cors.allowed-origins'
• Verify if the property value contains a wildcard character (*)
• Report a vulnerability if a wildcard CORS configuration is found
Vulnerable code example
# application.properties with insecure CORS configurations
# Actuator endpoints exposed to all origins - vulnerable to unauthorized access
management.endpoints.web.exposure.include=*
management.cors.allowed-origins=*
# WebFlux CORS allowing all origins - vulnerable to cross-origin attacks
spring.webflux.cors.allowed-origins=*...✅ Secure code example
# application.properties with secure CORS configurations
# Actuator endpoints - limit exposure and restrict origins
management.endpoints.web.exposure.include=health,info # Only expose necessary endpoints
management.endpoints.web.cors.allowed-origins=https://trusted-admin.example.com
management.endpoints.web.cors.allowed-methods=GET
management.endpoints.web.cors.max-age=3600
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.