Overview
Cross-Origin Resource Sharing (CORS) controls which origins can access resources. Misconfigured CORS headers allow attacker’s site to read responses from victim’s authenticated session.Key Headers
| Header | Description |
|---|---|
Access-Control-Allow-Origin | Allowed origin |
Access-Control-Allow-Credentials | Allow cookies/auth |
Access-Control-Allow-Methods | Allowed HTTP methods |
Access-Control-Allow-Headers | Allowed headers |
Access-Control-Expose-Headers | Headers readable by JS |
Access-Control-Max-Age | Preflight cache time |
Detection
Check Headers
Variations to Test
Vulnerable Configurations
1. Origin Reflection
Server reflects anyOrigin header back.
2. Null Origin Allowed
3. Weak Regex
Server checks if origin contains target domain:4. Wildcard with Credentials
5. Pre-Domain Wildcard
Exploitation — Origin Reflection
https://evil.com → victim visits → their authenticated data sent to attacker.
Exploitation — Null Origin
Origin: null.
Exploitation — Subdomain Takeover + CORS
If*.TARGET.com is allowed and an unused subdomain exists:
- Take over
unused.TARGET.com(dangling CNAME, cloud service) - Host exploit on
unused.TARGET.com - CORS allows it → read authenticated responses
Data to Steal
| Endpoint | Data |
|---|---|
/api/user | PII, email, role |
/api/account | Account details, API keys |
/api/settings | Config, tokens |
/api/admin | Admin data |
/api/keys | API keys, secrets |
Automation
Nuclei
Manual Script
Corsy
Impact Matrix
| Config | Credentials | Impact |
|---|---|---|
| Reflected origin | true | Critical — full data theft |
| Null allowed | true | High — iframe exploitation |
| Weak regex | true | High — register lookalike domain |
Wildcard * | false | Low — no auth data accessible |
| Subdomain wildcard | true | Medium — needs subdomain XSS/takeover |
Quick Reference
| Test | Command |
|---|---|
| Check reflection | curl -I -H "Origin: https://evil.com" TARGET |
| Check null | curl -I -H "Origin: null" TARGET |
| Exploit | Host JS that reads /api/user with withCredentials |
| Tool | corsy.py -u TARGET |