testing-cors-misconfiguration

# Testing CORS Misconfiguration ## When to Use - During authorized penetration tests when assessing API endpoints for cross-origin access controls - When testing single-page applications that make cross-origin API requests - For evaluating whether sensitive data can be exfiltrated from a victim's browser session - When assessing microservice architectures with multiple domains sharing data - During security audits of applications using CORS headers for cross-domain communication ## Prerequisites - **Authorization**: Written penetration testing agreement for the target - **Burp Suite Professional**: For intercepting and modifying Origin headers - **Browser with DevTools**: For observing CORS behavior in real browser context - **Attacker web server**: For hosting CORS exploitation PoC pages - **curl**: For manual CORS header testing - **Python HTTP server**: For hosting exploit pages locally ## Workflow ### Step 1: Identify CORS Configuration on Target Endpoints Check all API endpoints for CORS response headers. ```bash # Test with a foreign Origin header curl -s -I \ -H "Origin: https://evil.example.com" \ "https://api.target.example.com/api/user/profile" # Check for CORS headers in response: # Access-Control-Allow-Origin: https://evil.example.com (BAD: reflects any origin) # Access-Control-Allow-Origin: * (BAD if with credentials) # Access-Control-Allow-Credentials: true (allows cookies) # Access-Control-Allow-Methods: GET, POST, PUT, DELETE # Access-Control-A...