Cors Misconfig

Overview

CORS (Cross-Origin Resource Sharing) misconfigurations occur when CORS headers are too permissive. Allowing arbitrary origins (Access-Control-Allow-Origin: *), reflecting origins without validation, or exposing sensitive headers can lead to data exfiltration.

CORS misconfigurations are commonly exploited in conjunction with XSS or via malicious websites.

Category: Web — Web application enumeration and exploitation techniques.

Key Commands & Payloads

The following commands and payloads are commonly used when testing for or exploiting Cors Misconfig:

Origin: https://attacker.com

Access-Control-Allow-Origin: https://attacker.com

Access-Control-Allow-Credentials: true

curl -H "Origin: https://evil.com" -I https://target.com/api/sensitive

curl -H "Origin: null" -I https://target.com/api/sensitive

Tools & Techniques

Recommended tools for Cors Misconfig:

• Test with arbitrary Origin header values
• Check for reflected Access-Control-Allow-Origin headers
• Verify Access-Control-Allow-Credentials with external origins
• Test with null Origin header
• Use Burp Scanner or CORS-specific tools

Prevention & Mitigation

Security recommendations to prevent Cors Misconfig:

• Never use Access-Control-Allow-Origin: * with credentials
• Validate Origin against a strict allowlist
• Avoid reflecting the Origin header without validation
• Use specific origins instead of wildcards
• Limit exposed methods and headers via Access-Control-Allow-Methods and Access-Control-Expose-Headers

References

Additional resources:

• https://portswigger.net/web-security/cors
• https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
• https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client_Side_Testing/07-Testing_for_CORS