Security Misconfiguration: CORS: Avoid broad settings: CorsRegistry#allowedOrigins :: Recipe Details

Recipe Name:

Security Misconfiguration: CORS: Avoid broad settings: CorsRegistry#allowedOrigins

Description:

Allowing all origins makes the application vulnerable to scripts from any domain

Level:

warning

Language:

java

Tags:

Spring
security
framework specific
web
Spring Security

Documentation

Spring by default sets to allow all origins, however keep in mind that this means that the application's data can be accessed by JavaScript code coming from any domain.

Before

registry.allowedOrigins("*");

After

registry.allowedOrigins("https://domain.com");

References

Fortify Taxonomy - HTML5: CORS functionality abuse

Recipe

id: scw:spring:security:cors:CorsRegistry#allowedOrigins'
version: 10
metadata:
  name: 'Security Misconfiguration: CORS: Avoid broad settings: CorsRegistry#allowedOrigins'
  shortDescription: Allowing all origins makes the application vulnerable to scripts from any domain
  level: warning
  language: java
  enabled: true
  descriptionFile: descriptions/AvoidbroadsettingsCorsRegistryallowedOrigins.html
  tags: Spring;security;framework specific;web;Spring Security
search:
  methodcall:
    args:
      1:
        value:
          stringified: '*'
    name: allowedOrigins
    type: org.springframework.web.servlet.config.annotation.CorsRegistration
availableFixes:
- name: Specify the allowedOrigins
  actions:
  - modifyArguments:
      rewrite:
        1: '"https://..."'