Header manipulation fortify

Question

0.00/5 (No votes)

See more:

Fortify HP found a header manipulation vulnerability in my basic CorsFilter:

HttpServletResponse response = (HttpServletResponse) res;
        String origin = ((HttpServletRequest)req).getHeader("origin");

and i get the header manipulation here:

response.setHeader("Access-Control-Allow-Origin", origin);

Any ideas?

What I have tried:

I tried this:

if (origin != null) {
            origin = origin.replace("\n", "");
            origin = origin.replace("\r", "");
        }

but the issue persists.

Posted 18-Oct-19 0:02am

Lakyme

Updated 18-Oct-19 4:44am

Add a Solution

3 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

#realJSOP · Answer 1 · 2019-10-18T01:37:00

Solution 1

Mark it as Not an issue in Fortify and move on

Posted 18-Oct-19 1:37am

#realJSOP

Richard Deeming · Answer 2 · 2019-10-18T04:44:00

The whole point of CORS is to restrict which sites can access your resources.
Cross-Origin Resource Sharing (CORS) - HTTP | MDN[^]

Your code is effectively saying that any site can access your resources. But there's already a way to do that, without relying on headers passed from the client:

Java

response.setHeader("Access-Control-Allow-Origin", "*");

Access-Control-Allow-Origin - HTTP | MDN[^]

NB: You should carefully review the security implications of this setting.

aljan · Answer 3 · 2020-02-12T22:16:00

Be aware that by reflecting the "origin" in the Access-Control-Allow-Origin and using Access-Control-Allow-Credentials, you are essentially allowing third party applications visited by your users to make these requests and reading the results. If said results are confidential, this is a concern.

This is not exactly what Fortify is really warning you about, but an issue to consider none the less.

Please refer to What is CORS (cross-origin resource sharing)? Tutorial & Examples[^] , under "Server-generated ACAO header from client-specified Origin header"

Header manipulation fortify

3 solutions

Solution 1

Solution 2

Solution 3

Add your solution here

Preview 0