|
private String secret; |
|
|
|
@CrossOrigin(origins = "*") |
|
@RequestMapping(value = "/login", method = RequestMethod.POST, produces = "application/json", consumes = "application/json") |
|
LoginResponse login(@RequestBody LoginRequest input) { |
|
User user = User.fetch(input.username); |
|
if (Postgres.md5(input.password).equals(user.hashedPassword)) { |
|
return new LoginResponse(user.token(secret)); |
|
} else { |
|
throw new Unauthorized("Access Denied"); |
|
} |
Filename: LoginController.java
Line: 20
CWE: 942 (Permissive Cross-domain Policy with Untrusted Domains ('Authorization Issues'))
Cross-origin resource sharing (CORS) is a technique implemented by modern browsers to relax principles of same-origin policy, so that legitimate sites with different origins can interact with each other. Spring provides this support via @crossorigin annotation. Not restricting access to web resources (@crossorigin("*")), opens it up for attackers to inadvertently access restricted resources. An application should always check the origin of a request to be coming from a trusted source, before serving it. Please restrict the allowed domains which can access this resource References: CWE CORS support in Spring Framework REST Security Cheat Sheet at OWASP /nDon't know how to fix this? Don't know why this was reported?
Get Assistance from Veracode
vulnado//src/main/java/com/scalesec/vulnado/LoginController.java
Lines 15 to 25 in b790dcd
Filename: LoginController.java
Line: 20
CWE: 942 (Permissive Cross-domain Policy with Untrusted Domains ('Authorization Issues'))
Cross-origin resource sharing (CORS) is a technique implemented by modern browsers to relax principles of same-origin policy, so that legitimate sites with different origins can interact with each other. Spring provides this support via @crossorigin annotation. Not restricting access to web resources (@crossorigin("*")), opens it up for attackers to inadvertently access restricted resources. An application should always check the origin of a request to be coming from a trusted source, before serving it. Please restrict the allowed domains which can access this resource References: CWE CORS support in Spring Framework REST Security Cheat Sheet at OWASP /nDon't know how to fix this? Don't know why this was reported?
Get Assistance from Veracode