Cross-Origin Resource Sharing (CORS) is a security mechanism implemented in web browsers that controls how web applications loaded from one domain can interact with resources from a different domain.
The same-origin policy normally prevents JavaScript from making requests to domains other than the one serving the web page. CORS provides a controlled method of allowing these legitimate cross-origin requests by explicitly specifying the origins that are permitted to access various resources.
CORS misconfigurations are extremely common and can lead to serious security vulnerabilities. The most dangerous misconfiguration is using wildcard origins (Access-Control-Allow-Origin: *) combined with Access-Control-Allow-Credentials: true. Whilst browsers prevent this specific combination, developers sometimes dynamically reflect the request’s Origin header in the response, effectively implementing the same insecure pattern. This allows any malicious website to make authenticated requests to the vulnerable API and read the responses, potentially stealing sensitive data or performing unauthorised actions.
Other CORS issues include overly permissive origin allowlists, improper validation of origins (accepting origins through partial string matching), trusting null origins, and exposing sensitive headers. Attackers exploit CORS misconfigurations by hosting malicious websites that make cross-origin requests to vulnerable applications, leveraging victims’ existing authentication (cookies) to access or modify their data.
CORS testing should include identifying whether sensitive endpoints will accept requests from unauthorised origins and whether the implementation properly validates origins, rather than accepting any value or using overly permissive patterns. The prevalence of CORS misconfigurations makes this a key area for security testing in modern web applications.