Fluid Attacks Database

Description

Detects insecure CORS (Cross-Origin Resource Sharing) configurations in Scala Play Framework applications that allow wildcard origins (*). Such configurations permit any external domain to make requests to the application, potentially enabling malicious cross-origin attacks.

Weakness:

134 - Insecure or unset HTTP headers - CORS

Category: Protocol Manipulation

Detection Strategy

• Scans configuration files for CORS-related settings in Play Framework

• Identifies lines containing CORS configuration patterns that specify wildcard (*) origins

• Reports a vulnerability when CORS settings are found that allow unrestricted cross-origin access

Vulnerable code example

play.filters.cors {
  allowedOrigins = ["*"]  // VULNERABLE: Allows any origin, enabling CORS attacks
  allowedHttpMethods = ["GET", "POST"]
}

✅ Secure code example

play.filters.cors {
  allowedOrigins = ["https://trusted.example.com"]  // Only allow requests from trusted domain
  allowedHttpMethods = ["GET", "POST"]
}

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.