JAVA-S1000 @ 177b7dc • QuackatronHQ / Gigarepo

Run summary

a year ago

34b6022..177b7dc

23 s

Overly permissive CORS policies are a security risk JAVA-S1000

Security

Critical

1 occurrence in this check

a05 cwe-352 cwe-79 sans top 25 owasp top 10

"*" will allow any domain to send a cross origin request to your server

java/web/src/main/java/com/example/server/Server.java

 31        // For older browsers?
 32        c.setSecure(false);
 33        resp.addCookie(c);
 34        resp.setHeader("Access-Control-Allow-Origin", "*"); 35
 36        Boolean b = Boolean.parseBoolean(req.getParameter("winCondition"));
 37

Description

An overly permissive CORS policy can allow malicious actors to retrieve sensitive data from your own servers through the client.

Prior to HTML5, Web browsers enforced the Same Origin Policy which ensures that in order for JavaScript to access the contents of a Web page, both the JavaScript and the Web page must originate from the same domain. Without the Same Origin Policy, a malicious website could serve up JavaScript that loads sensitive information from other websites using a client's credentials, and communicate this information back to the attacker.

HTML5 makes it possible for JavaScript to access data across domains if the Access-Control-Allow-Origin HTTP header is defined. With this header, a web server defines which other domains are allowed to access its domain using cross-origin requests. However, caution should be taken when defining the header because an overly permissive CORS policy will allow a malicious application to communicate with the victim application in an inappropriate way, leading to spoofing, data theft, relay and other attacks.

Bad Practice

response.addHeader("Access-Control-Allow-Origin", "*");

List<String> whitelistedDomains = Arrays.asList("some.trusted.domain", "some.other-trusted.domain", ...);

// CORS requests always carry an Origin header specifying the domain of the page that initiated the request to this server.
String origin = request.getHeader("Origin");

// If the origin domain is safe, we could allow such cross origin requests to go through.
if (whilelistedDomains.contains(origin))
    response.addHeader("Access-Control-Allow-Origin", origin);

References

MDN - Access-Control-Allow-Origin
W3C CORS specification
OWASP Top Ten (2021) - Category A05 - Security Misconfiguration
FindSecBugs - PERMISSIVE_CORS
CWE-79 - Improper Neutralization of Input During Web Page Generation (Cross Site Scripting)
CWE-352 - Cross Site Request Forgery (CSRF)

QuackatronHQ / Gigarepo

Bad Practice

Recommended

References