Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

CORS security flaw

See original GitHub issue

Actual behaviour Javalin running with CORS allowed origin of https://api.securesite.com, works with header Origin: https://api.securesite.com as expected. I register an Australian site of https://api.securesite.com.au and request the API above with Origin: https://api.securesite.com.au - Javalin CORS will respond with Access-Control-Allow-Origin: https://api.securesite.com.au and Access-Control-Allow-Credentials: true

Expected behavior For the example above Origin: https://api.securesite.com.au should not be allowed.

To Reproduce See above.

Additional context I believe the fix is simple - just change startsWith to an equals. https://github.com/tipsy/javalin/blob/3acf47d9c97cb593426056749ff4304781700d86/javalin/src/main/java/io/javalin/http/util/CorsUtil.kt#L17

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:5 (5 by maintainers)

github_iconTop GitHub Comments

1reaction
Jerbellcommented, Apr 13, 2020

Sure - why not. I’ll try to do it later 😃

0reactions
tipsycommented, Apr 13, 2020

Nice, thank you! I agree that it’s better to not break existing code that relies on the removeSuffix mapping.

Read more comments on GitHub >

github_iconTop Results From Across the Web

What is CORS (cross-origin resource sharing)? - PortSwigger
Vulnerabilities arising from CORS configuration issues · Server-generated ACAO header from client-specified Origin header · Errors parsing Origin headers.
Read more >
Security Risks of CORS - Medium
Security risks of CORS. If implemented badly, CORS can lead to major security risk like leaking of API keys, other users data or...
Read more >
What are CORS Attacks and How can you Prevent them?
It's primarily web server misconfigurations that enable CORS vulnerabilities. The solution is to prevent the vulnerabilities from arising in the ...
Read more >
How to Avoid CORS Security Issues in 2021 | Cross-Origin ...
As mentioned above, most CORS vulnerabilities relate to poor validation practices due to response header misconfigurations. These relax security ...
Read more >
【CORS Error】Misconfigurations and their impacts
What is CORS Misconfiguration? · How Are CORS Misconfigurations Exploited? · Cross-Origin Resource Sharing Misconfiguration Impact · Security ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Issue with Kotlin and Scala interoperability (WsContext/Context)

Next page

Capturing gzipped output, and reusing.