Php Cors Wildcard Origin Laravel
Description
Detects insecure CORS (Cross-Origin Resource Sharing) configurations in Laravel PHP applications that use wildcard (*) origin settings. This allows any external domain to make cross-origin requests to your application, potentially exposing sensitive data or functionality to malicious websites.
Detection Strategy
• Scans Laravel's CORS configuration file located at 'config/cors.php'
• Identifies CORS configurations where allowed_origins or allowed_origins_patterns contain wildcard (*) values
• Reports a vulnerability when permissive CORS settings are found that allow all origins to access the application
Vulnerable code example
// Since no specific vulnerability type was provided,
// demonstrating a basic SQL injection vulnerability in Java
String username = request.getParameter("username");
String query = "SELECT * FROM users WHERE name = '" + username + "'"; // Vulnerable: Direct string concatenation allows SQL injection✅ Secure code example
String username = request.getParameter("username");
// Use PreparedStatement to prevent SQL injection by parameterizing the query
PreparedStatement stmt = connection.prepareStatement("SELECT * FROM users WHERE name = ?");
stmt.setString(1, username); // Safely binds parameter, escaping special charactersSearch for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.