Cross-origin resource sharing (CORS) misconfigurations

Cross-origin resource sharing (CORS) is a browser mechanism which enables controlled access to resources located outside of a given domain. It extends and adds flexibility to the same-origin policy (SOP).

The vulnerabilities can be found in APIs, SPAs, and cloud services.

It persists because developers often misconfigure Access-Control-Allow-Origin (e.g., wildcards * with credentials), and complex architectures (microservices, CDNs) introduce edge-case flaws.

Not a waste of time—misconfigs are common and dangerous:

CORS vulnerability with basic origin reflection
CORS vulnerability with trusted null origin
CORS vulnerability with trusted insecure protocols
CORS vulnerability with internal network pivot attack

Last update: 2025-05-12 14:16

Cross-origin resource sharing (CORS) misconfigurations¶