July 1, 2026
CORS Misconfigurations
Hey friends! Nitin here ๐

By Nitin yadav
1 min read
CORS sounds intimidating but it's really just about which websites are allowed to talk to each other. When a site trusts the WRONG friends, you can steal data. Let me make it simple.
A Tiny Bit Of Background
By default, browsers have a rule: a website can't just read data from a DIFFERENT website's API. This stops evil.com from reading your bank data. Good rule.
But sometimes a site WANTS to let certain other sites access its data. So it uses CORS (Cross-Origin Resource Sharing) to say "hey browser, it's okay, let THESE sites talk to me."
The bug is when a site configures that "allowed friends" list too loosely. ๐ฌ
The Misconfigurations
1. Reflecting any origin: The site basically says "whatever site is asking, I trust it" โ it echoes back whatever origin sent the request AND allows credentials. That means evil.com can read your private data from the target. Critical.
- Trusting
null: Some sites trust an origin ofnull, which an attacker can produce. Oops.
3. Weak domain matching: The site means to trust *.target.com but the check is sloppy, so target.com.evil.com or eviltarget.com sneaks through.
How To Hunt It
- Find an API endpoint that returns sensitive data (your profile, your messages)
- In Burp, add a header to the request:
Origin: <https://evil.com> - Look at the response headers. Does it say
Access-Control-Allow-Origin: <https://evil.com> ANDAccess-Control-Allow-Credentials: true? - If it reflects your evil origin AND allows credentials โ vulnerable โ
- Build a small proof page on your domain that fetches the victim's data to prove it
Why It Matters
The Allow-Credentials: true part is key. It means the browser will send the victim's cookies, so your evil page can read their PRIVATE, logged-in data โ emails, account info, whatever the API returns. Without credentials, it's usually low impact. WITH credentials reflected to any origin? That's the serious version.
My Honest Tip
Always test the combo: reflected origin + credentials allowed. A site reflecting any origin but NOT allowing credentials is often not very impactful (it can only read public stuff). The money is in the combination. Check both headers, every time, before you get excited. ๐
Trust carefully! ๐ค