CORS Misconfiguration

What is it?

Cross-Origin Resource Sharing (CORS) is a browser-enforced security mechanism that controls how APIs can be accessed from different origins (domains).

CORS misconfiguration occurs when an API incorrectly allows access to resources from untrusted or arbitrary origins, potentially exposing sensitive data to malicious websites.

While CORS is not a vulnerability by itself, improper implementation can lead to data exfiltration, credential leakage, and unauthorized cross-origin access, especially when combined with authentication mechanisms such as cookies.

What are specific examples?

• Access-Control-Allow-Origin: * used יחד with Access-Control-Allow-Credentials: true
• Reflecting arbitrary Origin headers without validation
• Allowing sensitive endpoints to be accessed from any domain
• Misconfigured preflight (OPTIONS) responses exposing unsafe methods
• Overly permissive headers (Access-Control-Allow-Headers: *)
• Trusting subdomains or wildcard domains without strict validation

Test case FAQs

When is this test case applicable?

• APIs accessed via browsers (frontend integrations)
• Endpoints returning sensitive or user-specific data
• APIs using cookie-based authentication or credential sharing
• Public APIs exposed across multiple domains

How does it work?

Prerequisites

• Ability to send requests with custom Origin headers
• Identification of endpoints returning sensitive data
• Optional authenticated session (for credential-based testing)

Test sequence

1. Send requests with malicious or arbitrary Origin headers
2. Observe Access-Control-Allow-Origin behavior:
   • Wildcard (*)
   • Reflection of supplied origin
3. Test with Access-Control-Allow-Credentials: true
4. Perform preflight (OPTIONS) requests to inspect:
   • Allowed methods
   • Allowed headers
5. Attempt cross-origin requests simulating attacker-controlled domains
6. Validate if sensitive responses are accessible cross-origin

Success/Failure indications

• Failure (vulnerable):

  • Arbitrary origins are reflected or allowed
  • Credentials are allowed with wildcard origins
  • Sensitive data accessible from untrusted domains
  • Overly permissive headers/methods exposed

• Success (secure):

  • Only trusted origins explicitly allowed
  • Credentials restricted to specific domains
  • Preflight responses tightly scoped
  • Sensitive endpoints protected from cross-origin access

What is the solution?

• Explicitly whitelist trusted origins (avoid wildcards)
• Never use * with Access-Control-Allow-Credentials: true
• Validate origin values server-side (strict matching)
• Limit allowed methods and headers to minimum required
• Avoid exposing sensitive endpoints via cross-origin access
• Use token-based authentication instead of cookies where possible
• Regularly audit CORS configurations across environments

References

• https://owasp.org/www-community/attacks/CORS_OriginHeaderScrutiny
• https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS