Unrestricted Request Mapping

java.unrestricted_request_mapping

Severity

critical

Resource

Misconfiguration

Language

Java

Description

Unrestricted Request Mapping occurs when a web application endpoint does not properly implement restrictions or validation on incoming HTTP requests. This can lead to CSRF vulnerabilities, where an attacker tricks a logged-in user into performing unwanted actions on their behalf.

In Java, particularly when using web frameworks, request handlers may be exposed without adequate security controls, making the application vulnerable to unauthorized access and manipulation.

Rationale

By default, methods annotated with @RequestMapping are mapped to all HTTP request methods.

However, Spring Security’s CSRF protection isn’t activated for GET, HEAD, TRACE, and OPTIONS methods, since enabling it might lead to token exposure. This makes state-changing methods with @RequestMapping that don’t specify a method restriction to POST, PUT, DELETE, or PATCH susceptible to CSRF attacks.

The detector flags any Spring MVC controller method that executes state changes and is annotated with @RequestMapping (without restricting methods, or when using GET, HEAD, OPTIONS, TRACE) or @GetMapping.

Remediation

Restrict the HTTP methods mapped to a given controller method.

References

https://cwe.mitre.org/data/definitions/352.html