Cross-Origin Resource Sharing (CORS) controls which web origins may read responses from an API. A misconfiguration occurs when the server reflects the Origin header back in Access-Control-Allow-Origin while also setting Access-Control-Allow-Credentials: true, letting any attacker site read authenticated responses and steal user data.
The CORS Misconfiguration generator builds a fetch or XHR PoC that sends credentials: 'include' from your attacker page and varies the Origin header. Try a reflected origin, a null origin (via a sandboxed iframe or data: page), and subdomain/suffix tricks like trusted.com.evil.com or eviltrusted.com to see what the server trusts.
When a server echoes the request Origin into Access-Control-Allow-Origin and allows credentials, the same-origin policy is effectively disabled for any site. An attacker page can make the victim's browser send their session cookie and read the JSON response, exfiltrating private data. The fix is a strict origin allowlist, never wildcard reflection with credentials.
Yes, it generates the PoC HTML and JavaScript entirely client-side and sends nothing to any server, so your target details stay private. The output is intended only for demonstrating CORS flaws on systems you are authorized to assess in a bug bounty or pentest.