Misconfigured CORS

CORSCross-Origin Resource SharingCORS Bypass

Misconfigured CORS at a glance

What it is: Cross-Origin Resource Sharing (CORS) misconfigurations that allow untrusted origins to access sensitive resources, enabling cross-origin attacks and data theft.

Why it happens: CORS vulnerabilities occur when servers use wildcard or reflected origins, allow unsafe methods or headers, or enable credentials unnecessarily, exposing sensitive data across origins.

How to fix: Avoid wildcard origins with credentials, validate and allowlist trusted origins, never reflect unverified Origin headers, and use credentials only when essential.

Overview

Cross-Origin Resource Sharing (CORS) is a browser security mechanism that controls how web pages from one origin can access resources from another origin. Proper CORS configuration is critical for protecting sensitive data and operations.

Common CORS misconfigurations include using wildcard (*) origins with credentials, reflecting any Origin header without validation, overly permissive allowed methods and headers, missing origin validation against an allowlist, and enabling credentials for public APIs. These misconfigurations allow malicious websites to make authenticated cross-origin requests and steal sensitive user data.

sequenceDiagram participant Victim participant Malicious as Malicious Site participant API as Vulnerable API Victim->>Malicious: Visit attacker site Malicious->>API: Fetch /api/user (with victim's cookies) API->>API: Reflect Origin: evil.com API-->>Malicious: Access-Control-Allow-Origin: evil.com<br/>Access-Control-Allow-Credentials: true<br/>+ sensitive data Malicious->>Malicious: Steal victim data Note over API: Missing: Origin validation<br/>Vulnerable: Reflects any origin

A potential flow for a Misconfigured CORS exploit

Where it occurs

CORS vulnerabilities occur in API or web server configurations that allow any origin, reflect origins without validation, or enable excessive methods, headers, or credentials.

Impact

CORS misconfigurations enable cross-origin data theft where malicious sites steal user data, authentication bypass through credential inclusion, unauthorized API operations, sensitive information disclosure, and can be combined with CSRF for more severe attacks.

Prevention

Prevent CORS misconfigurations by strictly validating origins against an allowlist, never using wildcards with credentials, limiting allowed methods and headers, enabling credentials only when needed, and testing configurations for leaks.

Examples

Switch tabs to view language/framework variants.

CORS configuration reflects any origin with credentials

Server reflects Origin header allowing cross-origin data theft.

Vulnerable

JavaScript • Express — Bad

const express = require('express');
const app = express();

app.use((req, res, next) => {
    // BUG: Reflects any origin
    res.header('Access-Control-Allow-Origin', req.headers.origin);
    res.header('Access-Control-Allow-Credentials', 'true');
    next();
});

app.get('/user/profile', (req, res) => {
    res.json({ email: req.user.email, ssn: req.user.ssn });
});

Line 6: Reflects any origin

Reflecting any origin with credentials allows attackers to steal user data.

Secure

JavaScript • Express — Good

const express = require('express');
const app = express();

const ALLOWED_ORIGINS = [
    'https://app.example.com',
    'https://mobile.example.com'
];

app.use((req, res, next) => {
    const origin = req.headers.origin;
    
    if (ALLOWED_ORIGINS.includes(origin)) {
        res.header('Access-Control-Allow-Origin', origin);
        res.header('Access-Control-Allow-Credentials', 'true');
    }
    next();
});

app.get('/user/profile', (req, res) => {
    res.json({ email: req.user.email });
});

Line 4: Allowlist of trusted origins
Line 12: Validate before setting header

Use an allowlist of trusted origins and validate before setting CORS headers.

CORS configuration reflects arbitrary origins enabling credential theft

Application reflects any Origin header in Access-Control-Allow-Origin with credentials enabled.

Vulnerable

Python • Flask — Bad

# Vulnerable: Reflects any origin with credentials
from flask import Flask, request, jsonify

app = Flask(__name__)

@app.after_request
def add_cors_headers(response):
    # VULNERABLE: Reflects any origin!
    origin = request.headers.get('Origin')
    if origin:
        response.headers['Access-Control-Allow-Origin'] = origin
        response.headers['Access-Control-Allow-Credentials'] = 'true'
        response.headers['Access-Control-Allow-Methods'] = 'GET, POST, PUT, DELETE'
        response.headers['Access-Control-Allow-Headers'] = 'Content-Type, Authorization'
    return response

@app.route('/api/user/profile', methods=['GET'])
def get_profile():
    user_id = get_current_user_id_from_session()
    user = User.query.get(user_id)
    return jsonify({
        'id': user.id,
        'email': user.email,
        'credit_card_last4': user.cc_last4,
        'balance': user.account_balance
    })

Line 9:
Line 11:

The vulnerable code reflects whatever value is in the Origin header back in Access-Control-Allow-Origin. This completely defeats CORS protection.

Combined with Access-Control-Allow-Credentials: true, this allows ANY website to make authenticated requests to the API and read the responses.

An attacker can host a malicious page that makes fetch() requests with 'credentials: include', causing the victim's browser to send cookies. The server reflects the attacker's origin, so the browser allows the attacker's JavaScript to read the response.

This enables complete theft of user data and can be used to perform actions on behalf of users.

Secure

Python • Flask — Good

# Secure: Strict origin allowlist with credentials
from flask import Flask, request, jsonify

app = Flask(__name__)

# Allowed origins - explicit allowlist
ALLOWED_ORIGINS = [
    'https://app.example.com',
    'https://mobile.example.com',
    'https://admin.example.com'
]

@app.after_request
def add_cors_headers(response):
    origin = request.headers.get('Origin')
    
    # Only allow explicitly listed origins
    if origin in ALLOWED_ORIGINS:
        response.headers['Access-Control-Allow-Origin'] = origin
        response.headers['Access-Control-Allow-Credentials'] = 'true'
    else:
        # For public endpoints without credentials, can use wildcard
        # But NEVER combine wildcard with credentials
        pass
    
    response.headers['Access-Control-Allow-Methods'] = 'GET, POST, PUT, DELETE'
    response.headers['Access-Control-Allow-Headers'] = 'Content-Type, Authorization'
    response.headers['Access-Control-Max-Age'] = '3600'
    
    return response

# Alternative: Use Flask-CORS with proper config
from flask_cors import CORS

CORS(app, 
    origins=ALLOWED_ORIGINS,
    supports_credentials=True,
    max_age=3600
)

@app.route('/api/user/profile', methods=['GET'])
def get_profile():
    user_id = get_current_user_id_from_session()
    user = User.query.get(user_id)
    
    # Additional CSRF protection
    csrf_token = request.headers.get('X-CSRF-Token')
    if not validate_csrf_token(csrf_token, user_id):
        return jsonify({'error': 'Invalid CSRF token'}), 403
    
    return jsonify({
        'id': user.id,
        'email': user.email,
        'credit_card_last4': user.cc_last4,
        'balance': user.account_balance
    })

Line 7:
Line 15:
Line 44:

The secure implementation maintains an explicit allowlist of permitted origins. Only these trusted domains receive CORS headers allowing credentialed requests.

The origin check is strict - it must exactly match an entry in the allowlist. Partial matches, regex matches, or null origins are rejected.

For public APIs that don't require credentials, you can use Access-Control-Allow-Origin: * but NEVER combine a wildcard with credentials: true.

Additional CSRF token validation provides defense in depth. Even if CORS were misconfigured, the CSRF protection would prevent unauthorized actions.

Using a well-tested library like Flask-CORS reduces the risk of implementation errors.

Engineer Checklist

Maintain explicit allowlist of trusted origins
Never use Access-Control-Allow-Origin: * with credentials
Don't reflect Origin header without validation
Only enable Access-Control-Allow-Credentials when required
Restrict Access-Control-Allow-Methods to needed methods
Be specific with Access-Control-Allow-Headers
Validate Origin against allowlist before responding
Don't trust null origin (can be triggered by sandboxed iframes)
Use CORS libraries with secure defaults
Test CORS configuration with different origins
Monitor for unexpected cross-origin requests

End-to-End Example

An API reflects any Origin header with credentials enabled, allowing malicious websites to steal user data through authenticated cross-origin requests.

Vulnerable

JAVASCRIPT

// Vulnerable: Reflects any origin
res.setHeader('Access-Control-Allow-Origin', req.headers.origin);
res.setHeader('Access-Control-Allow-Credentials', 'true');

Secure

JAVASCRIPT

// Secure: Validate against allowlist
const allowedOrigins = ['https://app.example.com', 'https://app2.example.com'];
const origin = req.headers.origin;

if (allowedOrigins.includes(origin)) {
  res.setHeader('Access-Control-Allow-Origin', origin);
  res.setHeader('Access-Control-Allow-Credentials', 'true');
}

Discovery

Send requests with different Origin headers and observe if they're reflected in Access-Control-Allow-Origin responses.

1. Test CORS configuration
http
Action

Send cross-origin request with Origin header
Request
GET https://api.example.com/data

Body:

"Origin: https://evil.com"
Response
Status: 200

Body:

{ "note": "Access-Control-Allow-Origin reflects evil.com" }
Artifacts

cors_misconfiguration origin_reflection
2. Test credentials in CORS
http
Action

Check if credentials allowed with wildcard origin

Request

GET https://api.example.com/user
Response
Status: 200

Body:

{ "note": "Allow-Credentials: true with Allow-Origin: *" }
Artifacts

credential_exposure cors_vulnerability
3. Test preflight bypass
http
Action

Send simple request without preflight

Request

POST https://api.example.com/action
Response
Status: 200

Body:

{ "note": "State-changing operation succeeds from any origin" }
Artifacts

preflight_bypass csrf_equivalent

Exploit steps

Attacker hosts a malicious page that makes authenticated cross-origin requests to the vulnerable API, stealing user data through the browser's cookie mechanism.

1. Steal user data via CORS

Cross-origin data theft
http
Action

Use misconfigured CORS to read user data from attacker site

Request

GET fetch('https://api.example.com/user', {credentials: 'include'})
Response
Status: 200

Body:

{ "note": "User's private data accessible to attacker's JavaScript" }
Artifacts

stolen_user_data session_hijacking
2. Execute authenticated actions

Cross-origin state change
http
Action

Perform actions as victim user

Request

POST fetch('https://api.example.com/transfer', {method: 'POST', credentials: 'include'})
Response
Status: 200

Body:

{ "note": "Attacker performs actions using victim's session" }
Artifacts

unauthorized_action account_compromise
3. Exfiltrate sensitive API responses

Mass data extraction via CORS
http
Action

Read all accessible endpoints from victim's session

Request

GET malicious-site.com/steal.js
Response
Status: 200

Body:

{ "note": "Complete API data exfiltrated to attacker" }
Artifacts

api_data_theft privacy_breach

Specific Impact

Malicious websites can steal sensitive user data including personal information, authentication tokens, and perform unauthorized operations on behalf of authenticated users.

Fix

Always validate the Origin header against an explicit allowlist of trusted domains. Never reflect the Origin without validation. Only enable credentials when absolutely necessary and with strict origin restrictions.

Detect This Vulnerability in Your Code

Sourcery automatically identifies misconfigured cors vulnerabilities and many other security issues in your codebase.

Scan Your Code for Free