Web Security · 1 min read

CORS Misconfigurations and Security Risks

Cross-Origin Resource Sharing controls which domains can make requests to your API. Misconfigured CORS headers can let any website steal your users' data. The most dangerous mistake is reflecting the Origin header back as Access-Control-Allow-Origin while also allowing credentials.

Try it now

CORS Checker

Runs in your browser, nothing leaves your device.

Reflecting the request's Origin header as the allowed origin effectively disables CORS. Adding `Access-Control-Allow-Credentials: true` makes it exploitable for data theft. The `null` origin is allowed by some configs, and attackers can trigger it using sandboxed iframes or data: URLs. Wildcard `*` with credentials is rejected by browsers, but wildcard without credentials still allows enumeration attacks.

Send a request with an Origin header set to an attacker-controlled domain. If the response reflects that origin in Access-Control-Allow-Origin, the configuration is vulnerable. Test with `null` as the origin. Check if Access-Control-Allow-Credentials is true. Test preflight requests (OPTIONS) with unusual methods and headers to see what's allowed.

Dangerous: reflected origin with credentials

Input
Access-Control-Allow-Origin: https://attacker.com Access-Control-Allow-Credentials: true
Result
Any website can steal authenticated data from this API

Security context

CORS misconfigurations are one of the most common API vulnerabilities. They often go unnoticed because the application works fine for legitimate users. The risk only manifests when an attacker crafts a malicious page that makes cross-origin requests.

It depends. Wildcard with credentials is blocked by browsers. Wildcard without credentials means any site can read your responses, which is fine for public APIs but dangerous if the endpoint returns user-specific data or internal information.

Related techniques

Comparing (/4):

Tool Comparison

Feature
Type
Pricing
Platforms
Description