JAVA-S1000 · Overly permissive CORS policies are a security risk

Overly permissive CORS policies are a security risk JAVA-S1000

Security

Critical

2 years ago — 2 years old

a05 cwe-352 cwe-79 sans top 25 owasp top 10

"*" will allow any domain to send a cross origin request to your server

src/main/java/io/example/configuration/SecurityConfig.java

156    var source = new UrlBasedCorsConfigurationSource();
157    var config = new CorsConfiguration();
158    config.setAllowCredentials(true);
159    config.addAllowedOrigin("*");160    config.addAllowedHeader("*");
161    config.addAllowedMethod("*");
162    source.registerCorsConfiguration("/**", config);

Description

An overly permissive CORS policy can allow malicious actors to retrieve sensitive data from your own servers through the client.

Prior to HTML5, Web browsers enforced the Same Origin Policy which ensures that in order for JavaScript to access the contents of a Web page, both the JavaScript and the Web page must originate from the same domain. Without the Same Origin Policy, a malicious website could serve up JavaScript that loads sensitive information from other websites using a client's credentials, and communicate this information back to the attacker.

HTML5 makes it possible for JavaScript to access data across domains if the Access-Control-Allow-Origin HTTP header is defined. With this header, a web server defines which other domains are allowed to access its domain using cross-origin requests. However, caution should be taken when defining the header because an overly permissive CORS policy will allow a malicious application to communicate with the victim application in an inappropriate way, leading to spoofing, data theft, relay and other attacks.

Bad Practice

response.addHeader("Access-Control-Allow-Origin", "*");

List<String> whitelistedDomains = Arrays.asList("some.trusted.domain", "some.other-trusted.domain", ...);

// CORS requests always carry an Origin header specifying the domain of the page that initiated the request to this server.
String origin = request.getHeader("Origin");

// If the origin domain is safe, we could allow such cross origin requests to go through.
if (whilelistedDomains.contains(origin))
    response.addHeader("Access-Control-Allow-Origin", origin);

References

MDN - Access-Control-Allow-Origin
W3C CORS specification
OWASP Top Ten (2021) - Category A05 - Security Misconfiguration
FindSecBugs - PERMISSIVE_CORS
CWE-79 - Improper Neutralization of Input During Web Page Generation (Cross Site Scripting)
CWE-352 - Cross Site Request Forgery (CSRF)

rethianita / spring-book

Bad Practice

Recommended

References