Exploiting Misconfigured CORS (Cross Origin Resource Sharing)

Hello Friends!

few days before noticed a blog post for exploiting facebook chat and reading all the chats of users so that made me to interested to know about the issues, and basically it was misconfigured CORS configuration where null origin is allowed with credentials true,  it was not something heard for the 1st time, @albinowax from the portswigger explained it very well in his blog post, so after reading that messenger blog post i went to test for the same issue for some targets where i allowed to test it.

but before that here are some tips about CORS where it can be exploitable from attackers point of view:

  • Poorly implemented, Best case for Attack:

Access-Control-Allow-Origin: https://attacker.com

Access-Control-Allow-Credentials: true

  • Poorly implemented, Exploitable:

Access-Control-Allow-Origin: null

Access-Control-Allow-Credentials: true

  • Bad implementation but not exploitable:

Access-Control-Allow-Origin: *

Access-Control-Allow-Credentials: true

or just

Access-Control-Allow-Origin: *

even this is not good from development point of view but due to own rules of CORS if Access-Control-Allow-Origin set to * we don’t get benefit Access-Control-Allow-Credentials: true means no cookie access of the victim.

When you can’t exploit even if above misconfigurations are present:

  • Presence of any custom header in the request which is getting used to authenticate the user.
  • Presence of any unique/authentication/key in the request URI  

am not going to more deep about CORS, as earlier blog post covered it very well.
so in above i mentioned 3 cases where first two cases is exploitable in that eg of 2nd case is that Facebook Messenger chat issue which i mentioned in earlier section of the post, and eg of 1st case is mine which i found 2 days before only where any arbitrary Origin is allowed and same Origin get reflected back to Access-Control-Allow-Origin with Credentials set to True, the best way i found to check for CORS issue is using CURL.

eg : curl https://test.victim.com -H "Origin: https://geekboy.ninja" -I and check the response if Origin is reflected in the response or not.

OR if your burp pro user, Burp Active Scan may find this for you, but in mine case it didnt, idk the reason, when i CURLed my target manully curl https://my.target.com -H "Origin: https://geekboy.ninja" -I , the Origin didnt got reflected but when i curled specifc endpoint where all users data getting back into response curl https://my.target.com/api/web/user -H "Origin: https://geekboy.ninja" -I it reflected back with my host with Credentials set to True and that’s enough to make this work and steal all that data.

i made quick poc code for it


And here how it worked 🙂

Sources for better understanding of CORS:


Views/Suggestions/Edits always welcome 🙂

45 thoughts on “Exploiting Misconfigured CORS (Cross Origin Resource Sharing)

    • admin says:

      Hello ak1t4,

      in your same reference if you noticed the header named “Access-Control-Allow-Credentials” , if this is not set as True, you cant access the response of your request, in simple term, you cant ride on users cookie.

      so even if “Access-Control-Allow-Origin” is set to “*” but “Access-Control-Allow-Credentials” is not set to “true”, then u cant abuse the behaviour, but true setting “Access-Control-Allow-Origin” to “*” is not good practice.

      hope this will clear your doubt.

    • @ak1t4
      Hi sir, I am very sorry for any confusion after my POST. Actually I did this post on a very basic environment just to show How CORS can be abused. After Portswigger post, We have also discussed the same thing in comments.

      @geekboy. Thank you for your gr8 post, Huge fan of your work on hacker-one. Learnt so much from you in web app security.

      Overall conclusion, in order to steal something from the authenticated response. Access-control-allow-credentials must be set to true.

  1. Hi geekboy,

    i found in one websites is that
    Access-Control-Allow-Origin: *

    Access-Control-Allow-Credentials: true

    as per your tutorial its case-3

    so, i used curl command but i am getting authorization error.
    i got header as a
    Authorization: Bearer realm blah blah..
    an authentication object was not found in the security content.
    can you please explain?

    • admin says:

      sure, if u read it again i updated the blog that if there is any additional header or header based authentication is present then you can’t abuse this behaviour.

  2. Mansoor Gilal says:


    Thanks for the much clarification by they on above screen shot
    same I’m getting but when I try to exploit it I can’t find anything
    useful you haven’t described last past when you exploited it may
    be for privacy reason but it would be appreciated if you can clear
    my confusion and why my exploit isn’t working what thing I’m missing there


      • Mansoor Gilal says:

        same response I’m getting like how you got using curl even using burp or any source but the main part is here which I didn’t understand how to exploit it how to perform attack with exploit
        if you could share that how to actually use exploit against this

        • admin says:

          hey, you can make GET & POST request of behalf of victim, like you do in CSRF and you get retrieve the info as well.

  3. thrust123 says:

    Could you please tell me how to exploit this further after the curl command. Code snippet under POC is really confusing me as I’m not a coding guy. Could you please assist me on getting the sensitive response in the malicious domain/browser

  4. Saad says:

    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0
    Accept: application/json;version=1.0.1
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate, br
    Authorization: APIKey apikey=prdakyrespQBtEtvaclVBEgFGmd7NQflbRaCvHRhAy, apikey_version=1.0
    itid: mw-111-24698fd8-53ab-4fbf-92b23-c7da9rc41d53d
    Cache-Control: no-cache
    Pragma: no-cache
    Referer: somedomain.com
    Origin: attacker.com

    In response, I am getting that:
    Access-control-allow-credentials: True
    Access-control-allow-origin: attacker.com

  5. Arpit says:

    Hi Geekboy,

    Can you tell mw how can i inject this code in CORS vulnerable site ?

    function cors() {
    var xhttp = new XMLHttpRequest();
    xhttp.onreadystatechange = function() {
    if (this.readyState == 4 && this.status == 200) {
    document.getElementById(“demo”).innerHTML =
    xhttp.open(“GET”, “https://demo.test.com/abc/ab/abcd”, true);
    xhttp.withCredentials = true;

  6. utkarsh says:

    Hey admin, i want to ask something, i don’t what i am asking is valid or not but anyways,,

    How did you get the contents in your domain, i means “In your code you didn’t specify the your domain but you get the contents? How, What i am missing here? please clarify me, i hope you understand the question :-p

    • Geekboy says:

      Hey, surely i can see what you mean here!

      i can see content on my host as i hosted the code on my domain, you can host wherever you prefer, and for poc, its test poc code, you need to change it as per your target if it’s vulnerable.

  7. utkarsh says:

    Hey admin! i want to know that what is the cause of that input/Host you provided is reflected back to the response, what is the weak config behind this?

    Can you please help me out this?

  8. Ranjana says:

    How we can say this as an issue as if the app utl is hit directly I get the details so how making the response to display in the alert is an issue.
    Sorry but I am bit confused.

    If it’s an issue how one can remediate it.

    • Geekboy says:

      If you able to load authenticated data via your controlled host, it should be an issue, and by validating the requesting ORIGIN value you can fix it.

  9. Sachin says:


    If a website uses CORS and one of the POST request to api endpoint allows ACAO to be set to anything using Burp, is it a security issue? if so how can one prove it?

  10. sachin says:

    Thanks for the quick response, could you please let me know how below post request can be added in the request as you suggested above?

    “POST /test/demo_form.php HTTP/1.1
    Host: w3schools.com

Leave a Reply

Your email address will not be published. Required fields are marked *