Skip to content

Module 11 · CORS Misconfiguration

Flag: --skip-cors

Tests the target's CORS policy against 7 adversarial origins.

Test origins

https://evil.com
https://<domain>.evil.com
https://evil.<domain>
null
https://attacker.io
http://localhost
https://not<domain>

Each origin is sent in an Origin header with Access-Control-Request-Method: GET and Access-Control-Request-Headers: Authorization.

Checks and findings

Condition Severity
Attacker origin reflected in ACAO + ACAC: true CRITICAL
Attacker origin reflected in ACAO (no credentials) MEDIUM
Wildcard * in Access-Control-Allow-Origin MEDIUM
null origin accepted HIGH

Why CORS matters

A misconfigured CORS policy allows an attacker's website to make authenticated cross-origin requests on behalf of a victim user — reading sensitive API responses, exfiltrating data, or performing actions under their session.

The most critical case is:

Access-Control-Allow-Origin: https://evil.com
Access-Control-Allow-Credentials: true

This combination allows a malicious site to make credentialed requests and read the responses.

Remediation

  • Validate Origin against an explicit allowlist — never reflect it back directly
  • Never use Access-Control-Allow-Origin: * on endpoints that handle authenticated data
  • Never combine ACAO: * with ACAC: true (browsers block this, but other clients do not)
  • Never trust the null origin

Output files

misc/
└── cors_tests.txt