OWASP ZAP을 실행하면 다음과 같은 보안 취약점이 검출될 수 있습니다.
OWASP ZAP 내용
1) 설명
Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server
2) 기타 정보
The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.
2) 해결
Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).
Configure the "Access-Control-Allow-Origin" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).
Configure the "Access-Control-Allow-Origin" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.
3) 참조
https://vulncat.fortify.com/en/detail?id=desc.config.dotnet.html5_overly_permissive_cors_policy
Software Security | HTML5: Overly Permissive CORS Policy
Encapsulation is about drawing strong boundaries. In a web browser that might mean ensuring that your mobile code cannot be abused by other mobile code. On the server it might mean differentiation between validated data and unvalidated data, between one us
vulncat.fortify.com
Spring Security에서 해결방법
Security Config에 다음과 같이 추가합니다.
@Bean
public CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration();
//cors 설정시 .allowCredentials(true)와 .allowedOrigins("*")를 동시에 사용할 수 없도록 업데이트 되었음
// .allowedOrigins("*") -> .addAllowedOriginPattern("*") 으로 변경해야 함
// 접근을 허용할 도메인 주소
configuration.addAllowedOriginPattern("https://localhost:3000");
configuration.addAllowedHeader("*");
configuration.addAllowedMethod("GET");
configuration.addAllowedMethod("POST");
configuration.addAllowedMethod("PUT");
configuration.addAllowedMethod("DELETE");
configuration.setAllowCredentials(true);
configuration.setMaxAge(3600L);
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
'back end > java' 카테고리의 다른 글
| Spring Boot: 웹 애플리케이션을 빠르고 쉽게 구축하는 방법 (0) | 2023.02.17 |
|---|---|
| Java Spring: 애플리케이션 개발의 가장 핫한 프레임워크 (0) | 2023.02.17 |
| [보안취약점] Missing Anti-clickjacking Header in spring security (0) | 2023.02.15 |
| Spring Security 중복 로그인 방지하는 방법 (0) | 2023.02.14 |
| [java] gradle로 runnable jar 생성하는 방법 (0) | 2023.02.09 |
