Java Cors Allow Origin Wildcard
Description
Detects insecure CORS (Cross-Origin Resource Sharing) configurations in Java Spring applications that use wildcard (*) for allowed origins. This configuration allows requests from any domain, potentially exposing sensitive data and functionality to malicious websites through cross-origin attacks.
Detection Strategy
• Identifies Spring CORS configuration methods like .allowedOrigins() or @CrossOrigin annotations
• Checks if wildcard (*) is used as an allowed origin value
• Reports a vulnerability when CORS is configured to accept requests from any origin (*)
• Validates both programmatic CORS configuration and annotation-based configuration
Vulnerable code example
@Configuration
public class CorsConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.headers()
.addHeaderWriter(new StaticHeadersWriter("Access-Control-Allow-Origin", "*")); // Vulnerable: Allows requests from any origin using wildcard
return http.build();
}...✅ Secure code example
@Configuration
public class CorsConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.headers()
.addHeaderWriter(new StaticHeadersWriter("Access-Control-Allow-Origin", "https://trusted-domain.com")) // Secure: Explicitly specify trusted origin
.addHeaderWriter(new StaticHeadersWriter("Access-Control-Allow-Methods", "GET, POST")) // Limit allowed HTTP methods
.addHeaderWriter(new StaticHeadersWriter("Access-Control-Allow-Headers", "Authorization, Content-Type")) // Specify allowed headers...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.