Cross Origin Resource Sharing

Check List

Methodology

Black Box

CORS Misconfiguration

1

Go to any API endpoint that returns user data like /api/account, /api/user, /api/profile, /api/keys

2

Open Burp Suite, Repeater, Send a normal request to the target API and Add or modify the Origin header to your domain

Origin: https://evil.com
3

Send the request and Check response headers for 

Access-Control-Allow-Origin: https://evil.com
Access-Control-Allow-Credentials: true
4

If both are present, Reflected CORS Misconfig, CONFIRMED

White Box

Cheat Sheet

PreviousClient Side Resource ManipulationNextClient Side Template Injection

Last updated