Too Broad Cors Policy

java.too_broad_cors_policy

Severity

critical

Resource

Misconfiguration

Language

Java

Description

By default, same-origin policy blocks cross-origin HTTP requests initiated by scripts. There are several use cases that require cross-origin script access; for example, Content Delivery Networks (CDNs) that provide hosting for JavaScript/CSS libraries and public API endpoints. However, cross-origin access presents a major security risk and must be carefully controlled.

This detector aims to pinpoint scenarios where Cross-Origin Resource Sharing (CORS) policies are excessively permissive, potentially exposing the application to cross-origin attacks.

More specifically this detector identifies configurations that improperly set values for the Access-Control-Allow-Origin HTTP header.

Rationale

Cross-Origin Resource Sharing (CORS) is a fundamental security feature that controls how resources can be requested from a different domain.

This vulnerability arises when the Origin header is set to overly permissive values such as * or null, which effectively allows any domain to access resources, bypassing the intended security restrictions. This can lead to undesired information disclosure or unauthorized actions through a variety of attack vectors.

In addition, dynamically reflecting origins (e.g. the Origin request header) from cross-origin requests without strict validation should be avoided, as it is readily exploitable.

In Java web applications, CORS configurations are typically defined by setting the Access-Control-Allow-Origin header within CORS filters or utilizing annotations like @CrossOrigin.

For illustrative purposes, consider the following Java snippet demonstrating an insecure CORS configuration:

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class ExampleController {

    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {
        ((HttpServletResponse) response).setHeader("Access-Control-Allow-Origin", "*");
        chain.doFilter(request, response);
    }
}

java

In this example, the use of "*" as an allowed origin enables any domain to access the protected resources, violating the security principle of least privilege.

Remediation

To remediate this vulnerability, it is crucial to tighten the CORS policy by explicitly specifying trusted domains or origins that are permitted to interact with the application. This minimizes unauthorized access and limits the exposure to potential attacks.

Here are practical steps for safer CORS configuration in web applications:

Identify the trusted domains that require cross-origin access to your resources and specify them explicitly instead of using a wildcard character.
Use configuration files or security frameworks to centralize and manage CORS settings to ensure consistency across your application.
Regularly review and update the list of allowed origins based on your current security requirements and business needs.

In frameworks such as Spring, CORS can be configured at the controller class or method level using the @CrossOrigin annotation. Do not use the unlimited @CrossOrigin or @CrossOrigin(origins = "*") unless you have a specific reason to allow all origins. Alternatively you may configure CORS globally, either using the WebMvcConfigurer:

@Configuration
public class WebMvcConfig implements WebMvcConfigurer {
    @Override
    public void addCorsMappings(CorsRegistry registry) {
        registry.addMapping("/**")
        .allowedOrigins("<limited cross-domain origins>")
        .allowedMethods("GET", "POST", "PUT", "DELETE")
        // further configuration
        ;
    }
}

java

or with Spring Security and the CorsConfigurationSource or the newer cors() DSL:

@EnableWebSecurity
public class SecurityConfig {
    @Bean
    public CorsConfigurationSource corsConfigurationSource() {
        var cors = new CorsConfiguration();
        cors.setAllowedOrigins(List.of("<limited cross-domain origins>"));
        cors.setAllowedMethods(List.of("GET", "POST", "PUT", "DELETE"));
        var source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", cors);
        return source;
    }
}

java

Configuration

The detector has the following configurable parameters:

tooBroadOriginPattern, that indicates the regex used to determine if the origin is too broad.

References

CWE-942 : Permissive Cross-domain Policy with Untrusted Domains.
OWASP - Top 10 2021 Category A05 : Security Misconfiguration.
MDN on CORS configuration.
PortSwigger on CORS.
Exploiting CORS misconfigurations for Bitcoins and bounties.
Spring’s CORS Support.