search

Cross Origin Resource Sharing

hashtag
Check List

hashtag
Methodology

hashtag
Black Box

hashtag
CORS Misconfigurationarrow-up-right

1

Go to any API endpoint that returns user data like /api/account, /api/user, /api/profile, /api/keys

2

Open Burp Suite, Repeater, Send a normal request to the target API and Add or modify the Origin header to your domain

Origin: https://evil.com
3

Send the request and Check response headers for 

Access-Control-Allow-Origin: https://evil.com
Access-Control-Allow-Credentials: true
4

If both are present, Reflected CORS Misconfig, CONFIRMED

hashtag
White Box

hashtag
Cheat Sheet

PreviousClient Side Resource ManipulationNextClient Side Template Injection

Last updated